Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Survey Reveals Changing Views on PCI Compliance

Study from Cisco Highlights Surprising Attitudes on Compliance, Standards Adoption, and Challenges Meeting PCI DSS Requirements

Seventy percent of IT decision makers feel that their organization is more secure than it would be if PCI compliance were not required. That’s according to a recent survey of 500 IT decision-makers to uncover their thoughts on PCI Data Security Standards (PCI DSS).

Study from Cisco Highlights Surprising Attitudes on Compliance, Standards Adoption, and Challenges Meeting PCI DSS Requirements

Seventy percent of IT decision makers feel that their organization is more secure than it would be if PCI compliance were not required. That’s according to a recent survey of 500 IT decision-makers to uncover their thoughts on PCI Data Security Standards (PCI DSS).

PCI DDS Compliance SurveyThe survey, conducted by InsightExpress for Cisco, included IT decision-makers involved in their organizations’ PCI-compliance programs from the education, financial services, government, health care and retail industries. The study aimed to accurately gauge adoption, chronicle the costs and challenges associated with compliance, and measure the adoption of certain technologies to better understand the approaches that organizations are taking to meet the requirements.

Key Survey Findings

Think PCI is not beneficial? Think again, says Cisco.

 • Of the survey respondents, 87 percent believe that the PCI requirements are necessary for protecting cardholder data.

• Among verticals, respondents from retail felt as comfortable in their likelihood to pass an assessment of their PCI compliance as did financial services respondents, showing that the retail industry has made great strides in adoption and implementation efforts.

• Sixty-seven percent of respondents anticipate that their spending on PCI compliance will increase in the next year, indicating positive executive and board buy-in for this important initiative.

• In addition, 60 percent of respondents suggested that PCI-compliance projects can drive other network or network security projects.

“This survey demonstrates that the PCI Council is being successful in communicating and getting the active participation and increased adoption of the PCI standards among stakeholders. The findings also suggest that organizations are increasingly aware of the benefits of compliance. However, there continue to be challenges that need to be addressed in order to effectively protect cardholder data, and there are no silver bullets,” said Fred Kost, director, Security Solutions, Cisco.

Top challenges of PCI DSS requirements

When asked to define specific challenges for implementing the PCI DSS requirements, educating employees on the proper handling of cardholder data was the single most highly recognized problem that organizations identified, with 43 percent of respondents suggesting this is an issue. Updating antiquated systems was named by 32 percent of respondents.

Respondents feel that of the 12 PCI requirements, tracking and monitoring all access to network resources and cardholder data (37 percent), developing and maintaining secure systems and applications (32 percent), and protecting stored cardholder data (30 percent) cause the most issues for achieving or maintaining compliance.

Adherence to the PCI DSS

Government fares better than other sectors on PCI assessments, but the vast majority of respondents are making strides in protecting their sensitive cardholder data.

• Eighty-five percent believe they would pass an assessment at the current time, and 78 percent passed their previous initial assessment.

• Surprisingly, government respondents fared better than all other sectors analyzed, with 85 percent passing their initial assessment. Health care organizations unfortunately fared the worst, with a 72 percent pass rate at the time of assessment.

• More than 85 percent of respondents were aware of the clarifications and recommendations associated with the newly announced PCI DSS 2.0 standards.

How they are doing it – Technologies in the Payments Space

Among the most interesting and surprising elements of the study are responses that look at the role of technology in payment environments. A key take-away from the survey is that organizations are adopting technologies in advance of PCI Security Standard Council directives.

Although the council has provided guidance on technologies not specifically included in the DSS, including those based on point-to-point encryption and EMV (for Europay, MasterCard and Visa, commonly referred to as the “Chip and PIN” card system), definitive standards for point-to-point encryption do not yet exist. Yet organizations seem to be adopting this technology in the hope of reducing the scope of their so-called cardholder data environment, the computer system that handles the card data. In addition, while the council did clarify a few elements around virtualization, the world awaits additional guidance from the council on this topic. However, organizations are not necessarily waiting for the council to act and are applying security best practices to these areas.

Virtualization

◦ Fifty-seven percent of respondents were satisfied with their current virtualization security posture.

◦ Thirty-six percent need to increase the number of virtual security appliances (like firewalls and intrusion-prevention systems) in order to meet PCI 2.0 compliance.

◦ Thirty percent will need to further harden their virtualization software using vendor-supplied guides and PCI guidance.

Point-to-point encryption and EMV

◦ 60 percent were using point-to-point encryption to simplify their compliance efforts and possibly reduce the scope of their next PCI assessment.

◦ Nearly 70 percent of financial services organizations were using point-to-point encryption.

◦ Forty-five percent of survey respondents indicated they were using EMV to reduce the likelihood of card-present fraud.

◦ Another 23 percent were not yet using EMV, but were thinking about it.

Eric Shou, Group Product Marketing Manager at McAfee and regular SecurityWeek contributor, suggests that organizations make an actionable plan. “Now that the holiday crunch is over, it’s a good time to take stock of where your business is with regard to PCI compliance. Make a plan—a resolution, if you will—to take a larger, more holistic approach to managing compliance. One that provides categorical control over IT infrastructure, enabling you to fulfill the difficult PCI requirements and validate PCI compliance in a more efficient and cost-effective manner,” Shou writes.

“These results are to be expected given the rising awareness and costs associated with data breaches and identity theft. PCI has helped, especially where competition for budget dollars is high, and the need to protect customers are equally important. Additionally, PCI is focused on increasing effectiveness, reducing complexity, and enabling continuous measurement and reporting – all of which are the direction that the security industry must go,” said John N Stewart, Vice President and Chief Security Officer at Cisco.

Related Reading: PCI DSS v2.0 – What Your QSAs Will Be Looking For

Related Reading: Make Improved PCI Compliance Your New Year’s Resolution

Written By

Click to comment

Expert Insights

Related Content

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...