At the same time, only 38% of non-compliant organizations reported suffering no breaches involving credit card data over the same period.
The 2011 PCI DSS Compliance Trends Study surveyed 670 US and multinational IT security practitioners on PCI DSS compliance.
For data breaches overall, 63% of PCI DSS compliant organizations suffered no more than a single data breach, compared to 22% of non-compliant organizations. Notably, 26% of non-compliant organizations suffered more than five breaches over the same two-year period.
"There is clear value to overall security in the organization for being PCI DSS compliant. However, there is still the perception among people that it does not have appropriate value for the organization”, Amichai Shulman, chief technology officer of Imperva, told Infosecurity.
Only 12% of respondents considered PCI DSS compliance as having a positive effect on the organization’s security. In addition, only 33% believe that PCI DSS compliance expenditure is covered by the value it brings to the organization.
“There is a perception among respondents that PCI DSS is not working for them. However, when we tried to measure this in term of data breaches the impact of being PCI DSS compliant, we got very different results”, Shulman said.
“Many people responded that there main reason for becoming PCI DSS compliant is either to increase their department’s budget or to become more friendly with larger partners, such as the credit card companies”, he observed.
This year’s report also found that two-thirds of respondents have achieved substantial compliance with PCI DSS. This compares with only half of the respondents for the 2009 study. Roughly 25% of respondents in 2009 had not achieved any level of compliance, whereas the percentage dropped to only 16% of those surveyed in 2011.
About 49% of respondents considered access restriction on a need-to-know basis to be the most difficult PCI DSS requirement to comply with followed by developing and maintaining secure applications with 45%.
Organizations need to have a “clear leader” for PCI DSS compliance, Shulman said. “Unless there is a clear leader, organizations do not become compliant," he added.
“Not necessarily increasing the budget indicates success [with PCI DSS compliance], but using the most cost effective solutions makes the difference. This is a key point from this report”, he concluded.