PCI DSS compliance cuts breach risk, says report
Organizations that are PCI DSS compliant suffer fewer breaches, but most do not think the standards have had a positive impact on security
By Bob Violino
April 19, 2011 — CSO —
Even though the majority of PCI-compliant organizations suffer fewer data breaches overall, most practitioners still do not perceive that Payment Card Industry (PCI) Data Security Standards (DSS) compliance has a positive impact on data security. That's the finding of a study released by The Ponemon Institute on April 19.
The firm's 2011 PCI DSS Compliance Trends Study, conducted with Imperva, asked 670 IT security professionals worldwide how efforts to comply with the standards affect their companies' data protection and security.
According to the study, 64 percent of PCI DSS compliant organizations reported suffering no data breaches involving credit card data over the past two years, while only 38 percent of non-compliant organizations reported suffering no breaches involving credit card data over the same period.
See also: The great PCI debate of 2010
As for overall data breaches (general incident or those involving credit card data), 63 percent of compliant organizations suffered no more than a single data breach, compared with 22 percent of non-compliant organizations. About one-quarter (26 percent) of non-compliant organizations suffered more than five breaches over the same time period.
Despite evidence to the contrary, the study found that a large majority (88 percent) of respondents do not think PCI DSS compliance has a positive effect on the number of breaches experienced. Only 39 percent mentioned data security improvement as one of the regulation's value propositions for business. And only 33 percent think the cost of complying with PCI DSS is covered by the value it brings to the organization.
"PCI is prescriptive and defines several precise technical requirements," says Rob Rachwald, director of security strategy at Imperva. "Many organizations may feel that many of these specific steps are superfluous, while not seeing the broader impact PCI has had on their security posture."
The report also found that two-thirds of respondents have achieved substantial compliance with PCI DSS. In the 2009 PCI DSS Compliance Trends Study, the number of respondents who had achieved similar levels of compliance was only half, and about 25 percent of respondents in 2009 hadn't achieved any level of compliance. Only 16 percent of the organizations surveyed this year have not achieved any level of PCI DSS compliance.
"Across several geographies and company sizes, PCI deadlines have hit," Rachwald says. "As a result, PCI compliance rates have risen."
Read more about data protection in CSOonline's Data Protection section.
Other stories by Bob Violino