Organizations that are PCI DSS compliant suffer fewer breaches, but most do not think the standards have had a positive impact on security Even though the majority of PCI-compliant organizations suffer fewer data breaches overall, most practitioners still do not perceive that Payment Card Industry (PCI) Data Security Standards (DSS) compliance has a positive impact on data security. That’s the finding of a study released by The Ponemon Institute on April 19. The firm’s 2011 PCI DSS Compliance Trends Study, conducted with Imperva, asked 670 IT security professionals worldwide how efforts to comply with the standards affect their companies’ data protection and security. According to the study, 64 percent of PCI DSS compliant organizations reported suffering no data breaches involving credit card data over the past two years, while only 38 percent of non-compliant organizations reported suffering no breaches involving credit card data over the same period. [ See also: The great PCI debate of 2010 ] As for overall data breaches (general incident or those involving credit card data), 63 percent of compliant organizations suffered no more than a single data breach, compared with 22 percent of non-compliant organizations. About one-quarter (26 percent) of non-compliant organizations suffered more than five breaches over the same time period. Despite evidence to the contrary, the study found that a large majority (88 percent) of respondents do not think PCI DSS compliance has a positive effect on the number of breaches experienced. Only 39 percent mentioned data security improvement as one of the regulation’s value propositions for business. And only 33 percent think the cost of complying with PCI DSS is covered by the value it brings to the organization. “PCI is prescriptive and defines several precise technical requirements,” says Rob Rachwald, director of security strategy at Imperva. “Many organizations may feel that many of these specific steps are superfluous, while not seeing the broader impact PCI has had on their security posture.” The report also found that two-thirds of respondents have achieved substantial compliance with PCI DSS. In the 2009 PCI DSS Compliance Trends Study, the number of respondents who had achieved similar levels of compliance was only half, and about 25 percent of respondents in 2009 hadn’t achieved any level of compliance. Only 16 percent of the organizations surveyed this year have not achieved any level of PCI DSS compliance. “Across several geographies and company sizes, PCI deadlines have hit,” Rachwald says. “As a result, PCI compliance rates have risen.” Related content news Okta launches Cybersecurity Workforce Development Initiative New philanthropic and educational grants aim to advance inclusive pathways into cybersecurity and technology careers. By Michael Hill Oct 04, 2023 3 mins IT Skills Careers Security news New critical AI vulnerabilities in TorchServe put thousands of AI models at risk The vulnerabilities can completely compromise the AI infrastructure of the world’s biggest businesses, Oligo Security said. By Shweta Sharma Oct 04, 2023 4 mins Vulnerabilities news ChatGPT “not a reliable” tool for detecting vulnerabilities in developed code NCC Group report claims machine learning models show strong promise in detecting novel zero-day attacks. By Michael Hill Oct 04, 2023 3 mins DevSecOps Generative AI Vulnerabilities news Google Chrome zero-day jumps onto CISA's known vulnerability list A serious security flaw in Google Chrome, which was discovered under active exploitation in the wild, is a new addition to the Cybersecurity and Infrastructure Agency’s Known Exploited vulnerabilities catalog. By Jon Gold Oct 03, 2023 3 mins Zero-day vulnerability Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe