May 18, 2012
PCI DSS compliance generates results
Living up to the lofty ideals of the Payment Card Industry Data Security Standards can be a major challenge for most businesses, and almost every company that accepts payments is expected to remain PCI compliant.
According to a recent survey performed by Imperva and the Ponemon Institute, businesses tend to perceive PCI compliance as something that does not have a positive impact on their security systems. However, the survey's results indicate companies that maintain PCI-compliant systems are significantly more secure than their non-compliant counterparts.
The survey found that 64 percent of PCI compliant respondents did not experience a data breach involving credit card data during the past two years. Conversely, just 38 percent of non-compliant respondents could say the same. General incident breaches, which do not include any payment card data, were much more common. However, 63 percent of compliant organizations experienced just one general breach. Just 22 percent of non-compliant respondents experienced only a single general breach, while 26 percent were hit by more than five.
"At the end of the day, we believe that PCI DSS is one of the most effective data security regulations today and can significantly help companies improve their data security posture. Most companies who make an effort to comply with the standards are likely to suffer fewer breaches than those who don't, period," said Amichai Shulman, co-founder and CTO of Imperva.
While the survey's findings clearly display PCI compliance's importance to businesses, respondents were not nearly as positive. Overall, 88 percent of respondents said they do not support the claim that PCI compliance positively impacts a business' ability to protect against data breaches. Furthermore, just 33 percent of respondents said the benefits of PCI compliance outweigh the expenses of maintaining systems.
Larry Ponemon, chairman and co-founder of the Ponemon Institute, said practitioners have a "subverted" perception of PCI compliance that does not reflect the actual impact the PCI DSS has on data protection.
Matt Ornce, chief security officer for Electronic Payment Exchange, believes that the combination of added security measures and PCI compliance is the main reason companies avoid data breaches.
“PCI DSS provides sounds guidelines for merchants, but it is really scope-reducing security technologies - like tokenization plus encryption - that provide the best protection for merchants,” said Ornce.
As the survey showed, a variety of data breaches are becoming quite common, but savvy businesses are able to successfully protect the most important information. According to a recent SC magazine report, new trends in cyber security are focusing on security and information event management, a methodology based on identifying how security breaches happen, limiting them and learning from the incident.
