PCI Compliance Survey Finds Companies Need Improvement October 2, 2009 | Print this page | Email this page The Ponemon Institute recently published a survey on Payment Card Industry Data Security Standards (“PCI DSS”) compliance. The Ponemon Institute is an independent research firm that conducts research on privacy, data protection and information security policy. PCI DSS is created by the Payment Card Industry Security Standards Council (the “Council”), an international organization founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. in 2006 to develop and manage certain credit card industry standards related to data privacy and security.
PCI DSS is a set of requirements created by the Council to help protect the security of electronic payment card transactions that include personal information of cardholders, and operates as a standard for security for organizations utilizing credit card information. It applies to all organizations that hold, process or pass credit cardholder information and includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures to help organizations protect customer credit and debit card account data.
The purpose of the survey was to determine whether PCI compliance improves organizational security and how PCI DSS compliance affects a company’s approach to achieving data protection and security. The survey found that 71% of the 517 US and multinational IT and IT practitioners surveyed do not believe that their companies view data security as a top strategic initiative, and 55% do not believe that their CEOs strongly support PCI DSS compliance efforts. Fifty-two percent do not believe their organization is proactive in their management of privacy and data protection risks. In addition, 60% say that their organizations do not have sufficient resources to achieve PCI DSS compliance. Fifty-six percent of the respondents do not believe that PCI DSS compliance improves their companies’ data security posture, although 75% of respondents say their companies have achieved some level of compliance. Seventy-nine percent of the organizations surveyed had at least one data breach.
The survey found that the biggest obstacles to achieving PCI DSS compliance are cost and lack of support from senior management. Based on its findings, the Ponemon Institute recommended the following:
- Companies should consider displaying a compliance logo that will inform consumers of their compliance with PCI DSS so that consumers can have confidence in these companies;
- Compliance requirements should be tailored to size of the company;
- PCI DSS compliance should be made part of the company’s overall strategic initiative, so that senior management can become more supportive; and
- Companies should assign a PCI DSS “champion” who is responsible and accountable for PCI compliance and overall security program.