Study Highlights Surprising Attitudes on Compliance, Standards Adoption, and Challenges Meeting PCI DSS RequirementsJanuary 12, 2011
SAN JOSE, Jan. 12, 2011 In the wake of massive data breaches of payment card information in the past few years, the topic of PCI compliance and its adoption has been top of mind in any organization concerned about suffering a similar fate. Today, Cisco unveiled the results of a survey conducted by InsightExpress of 500 information technology decision-makers to uncover and qualify current sentiment on PCI Data Security Standard (PCI DSS) five years after the standard emerged. The survey included IT decision-makers involved in their organizations' PCI-compliance programs from the education, financial services, government, health care and retail industries. The study aimed to accurately gauge adoption, chronicle the costs and challenges associated with compliance, and measure the adoption of certain technologies to better understand the approaches that organizations are taking to meet the requirements.
Key survey findings
Think PCI is not beneficial? Think again
- Seventy percent of survey respondents feel that their organization is more secure than it would be if PCI compliance were not required.
- Of the survey respondents, 87 percent believe that the PCI requirements are necessary for protecting cardholder data.
- Among verticals, respondents from retail felt as comfortable in their likelihood to pass an assessment of their PCI compliance as did financial services respondents, showing that the retail industry has made great strides in adoption and implementation efforts.
- Sixty-seven percent of respondents anticipate that their spending on PCI compliance will increase in the next year, indicating positive executive and board buy-in for this important initiative.
- In addition, 60 percent of respondents suggested that PCI-compliance projects can drive other network or network security projects.
Top challenges of PCI DSS requirements
- When asked to define specific challenges for implementing the PCI DSS requirements, educating employees on the proper handling of cardholder data was the single most highly recognized problem that organizations identified, with 43 percent of respondents suggesting this is an issue. Updating antiquated systems was named by 32 percent of respondents.
- Respondents feel that of the 12 PCI requirements, tracking and monitoring all access to network resources and cardholder data (37 percent), developing and maintaining secure systems and applications (32 percent), and protecting stored cardholder data (30 percent) cause the most issues for achieving or maintaining compliance.
Adherence to the PCI DSS
Government fares better than other sectors on PCI assessments, but the vast majority of respondents are making strides in protecting their sensitive cardholder data.
- Eighty-five percent believe they would pass an assessment at the current time, and 78 percent passed their previous initial assessment.
- Surprisingly, government respondents fared better than all other sectors analyzed, with 85 percent passing their initial assessment. Health care organizations unfortunately fared the worst, with a 72 percent pass rate at the time of assessment.
- More than 85 percent of respondents were aware of the clarifications and recommendations associated with the newly announced PCI DSS 2.0 standards.
A look at how they are doing it: Technologies in the payments space
Among the most interesting and surprising elements of the study are responses that look at the role of technology in payment environments. A key take-away from the survey is that organizations are adopting technologies in advance of PCI Security Standard Council directives.
Although the council has provided guidance on technologies not specifically included in the DSS, including those based on point-to-point encryption and EMV (for Europay, MasterCard and Visa, commonly referred to as the "Chip and PIN" card system), definitive standards for point-to-point encryption do not yet exist. Yet organizations seem to be adopting this technology in the hope of reducing the scope of their so-called cardholder data environment, the computer system that handles the card data. In addition, while the council did clarify a few elements around virtualization, the world awaits additional guidance from the council on this topic. However, organizations are not necessarily waiting for the council to act and are applying security best practices to these areas.
- Fifty-seven percent of respondents were satisfied with their current virtualization security posture.
- Thirty-six percent need to increase the number of virtual security appliances (like firewalls and intrusion-prevention systems) in order to meet PCI 2.0 compliance.
- Thirty percent will need to further harden their virtualization software using vendor-supplied guides and PCI guidance.
- Point-to-point encryption and EMV
- A whopping 60 percent were using point-to-point encryption to simplify their compliance efforts and possibly reduce the scope of their next PCI assessment.
- Nearly 70 percent of financial services organizations were using point-to-point encryption.
- Forty-five percent of survey respondents indicated they were using EMV to reduce the likelihood of card-present fraud.
- Another 23 percent were not yet using EMV, but were thinking about it.
Cisco Support for PCI
For more information about how Cisco can provide insight, guidance and support for PCI data security compliance, please visit www.cisco.com/go/pci or www.cisco.com/go/security. Additional PCI technology and information resources are listed below.
- Fred Kost, director, Security Solutions, Cisco
- John N Stewart, vice president and chief security officer, Cisco
"This survey demonstrates that the PCI Council is being successful in communicating and getting the active participation and increased adoption of the PCI standards among stakeholders. The findings also suggest that organizations are increasingly aware of the benefits of compliance. However, there continue to be challenges that need to be addressed in order to effectively protect cardholder data, and there are no silver bullets. Progress has been good, but there is more work to be done as we face ever-evolving threats and the emergence of new technologies."
"These results are to be expected given the rising awareness and costs associated with data breaches and identity theft. PCI has helped, especially where competition for budget dollars is high, and the need to protect customers are equally important. Additionally, PCI is focused on increasing effectiveness, reducing complexity, and enabling continuous measurement and reporting all of which are the direction that the security industry must go."
- PCI Study Whitepaper
- PCI Study blog post
- PCI Slide Study Presentation
- Cisco PCI Resource Site: www.cisco.com/go/pci
- Cisco Security Resource Site: www.cisco.com/go/security
Cisco, PCI, Survey, Cisco security, compliance