Study from Cisco Highlights Surprising Attitudes on Compliance, Standards Adoption, and Challenges Meeting PCI DSS Requirements
Seventy percent of IT decision makers feel that their organization is more secure than it would be if PCI compliance were not required. That’s according to a recent survey of 500 IT decision-makers to uncover their thoughts on PCI Data Security Standards (PCI DSS).
The survey, conducted by InsightExpress for Cisco, included IT decision-makers involved in their organizations’ PCI-compliance programs from the education, financial services, government, health care and retail industries. The study aimed to accurately gauge adoption, chronicle the costs and challenges associated with compliance, and measure the adoption of certain technologies to better understand the approaches that organizations are taking to meet the requirements.
Key Survey Findings
Think PCI is not beneficial? Think again, says Cisco.
• Of the survey respondents, 87 percent believe that the PCI requirements are necessary for protecting cardholder data.
• Among verticals, respondents from retail felt as comfortable in their likelihood to pass an assessment of their PCI compliance as did financial services respondents, showing that the retail industry has made great strides in adoption and implementation efforts.
• Sixty-seven percent of respondents anticipate that their spending on PCI compliance will increase in the next year, indicating positive executive and board buy-in for this important initiative.
• In addition, 60 percent of respondents suggested that PCI-compliance projects can drive other network or network security projects.
“This survey demonstrates that the PCI Council is being successful in communicating and getting the active participation and increased adoption of the PCI standards among stakeholders. The findings also suggest that organizations are increasingly aware of the benefits of compliance. However, there continue to be challenges that need to be addressed in order to effectively protect cardholder data, and there are no silver bullets,” said Fred Kost, director, Security Solutions, Cisco.
Top challenges of PCI DSS requirements
When asked to define specific challenges for implementing the PCI DSS requirements, educating employees on the proper handling of cardholder data was the single most highly recognized problem that organizations identified, with 43 percent of respondents suggesting this is an issue. Updating antiquated systems was named by 32 percent of respondents.
Respondents feel that of the 12 PCI requirements, tracking and monitoring all access to network resources and cardholder data (37 percent), developing and maintaining secure systems and applications (32 percent), and protecting stored cardholder data (30 percent) cause the most issues for achieving or maintaining compliance.
Adherence to the PCI DSS
Government fares better than other sectors on PCI assessments, but the vast majority of respondents are making strides in protecting their sensitive cardholder data.
• Eighty-five percent believe they would pass an assessment at the current time, and 78 percent passed their previous initial assessment.
• Surprisingly, government respondents fared better than all other sectors analyzed, with 85 percent passing their initial assessment. Health care organizations unfortunately fared the worst, with a 72 percent pass rate at the time of assessment.
• More than 85 percent of respondents were aware of the clarifications and recommendations associated with the newly announced PCI DSS 2.0 standards.
How they are doing it – Technologies in the Payments Space
Among the most interesting and surprising elements of the study are responses that look at the role of technology in payment environments. A key take-away from the survey is that organizations are adopting technologies in advance of PCI Security Standard Council directives.
Although the council has provided guidance on technologies not specifically included in the DSS, including those based on point-to-point encryption and EMV (for Europay, MasterCard and Visa, commonly referred to as the “Chip and PIN” card system), definitive standards for point-to-point encryption do not yet exist. Yet organizations seem to be adopting this technology in the hope of reducing the scope of their so-called cardholder data environment, the computer system that handles the card data. In addition, while the council did clarify a few elements around virtualization, the world awaits additional guidance from the council on this topic. However, organizations are not necessarily waiting for the council to act and are applying security best practices to these areas.
Virtualization
◦ Fifty-seven percent of respondents were satisfied with their current virtualization security posture.
◦ Thirty-six percent need to increase the number of virtual security appliances (like firewalls and intrusion-prevention systems) in order to meet PCI 2.0 compliance.
◦ Thirty percent will need to further harden their virtualization software using vendor-supplied guides and PCI guidance.
Point-to-point encryption and EMV
◦ 60 percent were using point-to-point encryption to simplify their compliance efforts and possibly reduce the scope of their next PCI assessment.
◦ Nearly 70 percent of financial services organizations were using point-to-point encryption.
◦ Forty-five percent of survey respondents indicated they were using EMV to reduce the likelihood of card-present fraud.
◦ Another 23 percent were not yet using EMV, but were thinking about it.
Eric Shou, Group Product Marketing Manager at McAfee and regular SecurityWeek contributor, suggests that organizations make an actionable plan. “Now that the holiday crunch is over, it’s a good time to take stock of where your business is with regard to PCI compliance. Make a plan—a resolution, if you will—to take a larger, more holistic approach to managing compliance. One that provides categorical control over IT infrastructure, enabling you to fulfill the difficult PCI requirements and validate PCI compliance in a more efficient and cost-effective manner,” Shou writes.
“These results are to be expected given the rising awareness and costs associated with data breaches and identity theft. PCI has helped, especially where competition for budget dollars is high, and the need to protect customers are equally important. Additionally, PCI is focused on increasing effectiveness, reducing complexity, and enabling continuous measurement and reporting – all of which are the direction that the security industry must go,” said John N Stewart, Vice President and Chief Security Officer at Cisco.
Related Reading: PCI DSS v2.0 – What Your QSAs Will Be Looking For
Related Reading: Make Improved PCI Compliance Your New Year’s Resolution
