A recent survey conducted by Imperva and the Ponemon Institute reflects that companies still struggle to protect consumer data.
According to the findings of a survey across more than 500 U.S. and multinational IT security practitioners showing that, despite the Payment Card Industry’s (PCI) Data Security Standard (DSS), companies still struggle with data security, putting consumers at continued risk for identity theft. In fact, 71% of companies surveyed admit to not making data security a top strategic initiative, and 55% admit to only securing credit card information and not sensitive information such as Social Security numbers, driver’s license numbers, and bank account details. However, the survey also found that companies taking a strategic approach to PCI compliance have fewer data breaches.
According to press reports, the survey, which covered 560 U.S. and multinational organizations, asked respondents a variety of questions about their investments and deployment of technology to comply with PCI DSS, which was introduced in 2005. It’s an industry standard created by major credit card companies that’s designed to protect customer payment data.
The survey found that 55 percent of organizations only secured credit card information but not other data such as Social Security and driver’s license numbers or bank account details. Also, only 28 percent of smaller companies between 501 to 1,000 employees comply with PCI DSS. That compares with more than 70 percent of large merchants with 75,000 or more employees that claimed they’re compliant.
According to a PCWORLD interview, “If you go the larger organizations to do business, you are more likely to be secure today,” said Amichai Shulman, CTO for Imperva, which makes security software for businesses to comply with PCI DSS. Imperva commissioned the survey from Ponemon Institute, a company that conducts research into privacy and information security policy.
The prime reason that companies don’t comply with PCI DSS is cost, Shulman said. “They don’t go to the effort to be compliant because it’s all or nothing, so they currently do nothing,” Shulman said.
Larger companies find it somewhat easier to handle the costs, he said. On average, companies spend about 35 percent of their IT security budgets on PCI DSS compliance.
Payment card companies mandate compliance, and most merchants are supposed to be compliant by now, according to information on the PCI Security Standards Council’s Web site.
The survey turned up some other disconcerting results. Around 10 percent of the respondents who said they were PCI DSS compliant said they weren’t using basic security software such as antivirus, firewalls and SSL (Secure Sockets Layers), Shulman said.
PCI doesn’t prescribe the use of specific software products but instead promotes practices and general advice, such as using a firewall and antivirus. In recent years, vendors have developed products to make the implementation of PCI DSS easier. Still, the result was surprising and indicative of perhaps continuing confusion or difficulty some businesses are having with PCI DSS.
“I would find it very hard to explain why I’m not using SSL as part of my PCI compliance,” Shulman said. “It seems to me that there is too much room for misinterpretation of the requirement, and companies are abusing it.”
PCI DSS is in the process of being updated, and the survey will be used as input. The PCI Security Standards Council, which was set up by major credit card companies in 2006, is collecting feedback through Oct. 31 on changes to a new version of the standard, due for release in September 2010.
Today’s Web Pro Minute is sponsored by the Adobe Corporation.
Adobe Announces Free eSeminars for Web Professionals
The time is now to be brilliant with your web design and development. Take an hour to join us for complimentary Adobe® Creative Suite® 4 online eSeminars and discover how to redefine the extraordinary in web design and development with Adobe® Creative Suite® 4 Web Premium Software.
Register Today for the Adobe Creative Suite 4 eSeminar Series for Web Professionals