Only half of the companies that should be PCI-compliant actually are, a new study has revealed.
When database and web application security Imperva Inc polled 517 US and multinational IT security practitioners, it found many companies still struggle to protect consumer credit card data and were not actually implementing the appropriate technologies that are actually required under PCI.
Amichai Shulman, CTO of Imperva said that the use of firewalls, anti-virus and SSL technologies that are practically mandated by PCI was not as widespread as was expected.
“We were expecting to find that every one of the companies had deployed firewalls. We found a high percentage, in excess of 90% of companies had implemented firewalls, but it wasn’t as high as it should be.” The same was seen for other technologies.
The PCI DSS standard was put into effect to provide security guidelines to all businesses that handle credit card information to better protect consumers. Since it was enacted in June 2005, the number of data breaches and amount of credit card fraud has continued to rise.
Shulman said the findings suggest that better guidelines are needed from the PCI Security Standards Council, the body behind the implementation of security standards for account data protection, especially for smaller merchants who operate without large IT groups.
The survey found that only 28% of smaller companies (501-1000 employees) comply with PCI, as opposed to 70% of larger companies (75,000 or more employees).
Imperva found that 60% of respondents to its survey do not believe they have sufficient resources to comply with PCI and bring about a necessary level of cardholder security. “PCI calls for investments in expertise, effort and attention, as much as it does cost,” he suggested.
Those companies that have made the necessary investment in the kind of technologies needed to achieve compliance actually believe their programmes have delivered business benefits, Shulman said.
“They report PCI compliance has led to better partnership opportunities, better relationships with the card issuers, and a better security posture for the entire organisation.”
Shulman added that without PCI compliance companies will tend to find it costs more for them to do online transactions because they end up paying higher commissions, and can pay more for insurance.
Larry Ponemon who carried out the study for Imperva said that there is a need to think about the strategic consequences of compliance initiatives.
“I think that over time the customers are going to hold companies, credit card companies, financial service organisations, merchants, online merchants and so forth to a higher standard and I think that’s going to drive compliance rates as well. One suggestion we make is maybe some external seal that the consumers can read and so they can actually see the companies that are PCI compliant versus those that aren’t and that might actually drive compliance to a higher state other than what we currently see today.”
Ahead of the October 31st deadline for input on changing PCI-DSS standards, Imperva said it would be recommending the introduction of such a compliance logo for consumers.
It will also suggest modified compliance instructions for larger and smaller companies which take into account different environments and security needs.
