At the same time, only 38% of non-compliant organizations reported suffering no breaches involving credit card data over the same period.
The 2011 PCI DSS Compliance Trends Study surveyed 670 US and multinational IT security practitioners on PCI DSS compliance.
For data breaches overall, 63% of PCI DSS compliant organizations suffered no more than a single data breach, compared to 22% of non-compliant organizations. Notably, 26% of non-compliant organizations suffered more than five breaches over the same two-year period.
"There is clear value to overall security in the organization for being PCI DSS compliant. However, there is still the perception among people that it does not have appropriate value for the organization”, Amichai Shulman, chief technology officer of Imperva, told Infosecurity.
Only 12% of respondents considered PCI DSS compliance as having a positive effect on the organization’s security. In addition, only 33% believe that PCI DSS compliance expenditure is covered by the value it brings to the organization.
“There is a perception among respondents that PCI DSS is not working for them. However, when we tried to measure this in term of data breaches the impact of being PCI DSS compliant, we got very different results”, Shulman said.
“Many people responded that there main reason for becoming PCI DSS compliant is either to increase their department’s budget or to become more friendly with larger partners, such as the credit card companies”, he observed.
This year’s report also found that two-thirds of respondents have achieved substantial compliance with PCI DSS. This compares with only half of the respondents for the 2009 study. Roughly 25% of respondents in 2009 had not achieved any level of compliance, whereas the percentage dropped to only 16% of those surveyed in 2011.
About 49% of respondents considered access restriction on a need-to-know basis to be the most difficult PCI DSS requirement to comply with followed by developing and maintaining secure applications with 45%.
Organizations need to have a “clear leader” for PCI DSS compliance, Shulman said. “Unless there is a clear leader, organizations do not become compliant," he added.
“Not necessarily increasing the budget indicates success [with PCI DSS compliance], but using the most cost effective solutions makes the difference. This is a key point from this report”, he concluded.
Comments
PrivacyBlogger says:
26 April 2011
This important new study is evidence that compliance with the PCI DSS can help to prevent data breaches, thus effectively protects sensitive information. Compliance with the standard is becoming more and more important for businesses of all sizes.
At the cippguide.org, we take a look at privacy issues worldwide. We also help prepare candidates for the CIPP certification exams. To learn more about PCI DSS and other privacy issues, check out our blog at: https://www.cippguide.org/2011/04/19/pci-dss-preventing-credit-card-fraud/
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.