PCI Survey Finds Some Merchants Don’t Use AV Software

Consumers face a greater risk of losing control of their data when doing business with smaller retailers, as many haven’t made investments to comply with the Payment Card Industry’s Data Security Standard (PCI DSS), according to a new survey.

The survey, which covered 560 U.S. and multinational organizations, asked respondents a variety of questions about their investments and deployment of technology to comply with PCI DSS, which was introduced in 2005. It’s an industry standard created by major credit card companies that’s designed to protect customer payment data.

The survey found that 55 percent of organizations only secured credit card information but not other data such as Social Security and driver’s license numbers or bank account details. Also, only 28 percent of smaller companies between 501 to 1,000 employees comply with PCI DSS. That compares with more than 70 percent of large merchants with 75,000 or more employees that claimed they’re compliant.

“If you go the larger organizations to do business, you are more likely to be secure today,” said Amichai Shulman, CTO for Imperva, which makes security software for businesses to comply with PCI DSS. Imperva commissioned the survey from Ponemon Institute, a company that conducts research into privacy and information security policy.

The prime reason that companies don’t comply with PCI DSS is cost, Shulman said. “They don’t go to the effort to be compliant because it’s all or nothing, so they currently do nothing,” Shulman said.

Larger companies find it somewhat easier to handle the costs, he said. On average, companies spend about 35 percent of their IT security budgets on PCI DSS compliance.

Payment card companies mandate compliance, and most merchants are supposed to be compliant by now, according to information on the PCI Security Standards Council’s Web site.

The survey turned up some other disconcerting results. Around 10 percent of the respondents who said they were PCI DSS compliant said they weren’t using basic security software such as antivirus, firewalls and SSL (Secure Sockets Layers), Shulman said.

PCI doesn’t prescribe the use of specific software products but instead promotes practices and general advice, such as using a firewall and antivirus. In recent years, vendors have developed products to make the implementation of PCI DSS easier. Still, the result was surprising and indicative of perhaps continuing confusion or difficulty some businesses are having with PCI DSS.

“I would find it very hard to explain why I’m not using SSL as part of my PCI compliance,” Shulman said. “It seems to me that there is too much room for misinterpretation of the requirement, and companies are abusing it.”

PCI DSS is in the process of being updated, and the survey will be used as input. The PCI Security Standards Council, which was set up by major credit card companies in 2006, is collecting feedback through Oct. 31 on changes to a new version of the standard, due for release in September 2010.