Thursday, 24 September 2009 05:52
Imperva and the Ponemon Institute today announced the findings of a survey across more than 500 U.S. and multinational IT security practitioners showing that, despite the Payment Card Industry’s (PCI) Data Security Standard (DSS), companies still struggle with data security, putting consumers at continued risk for identity theft.In fact, 71 per cent of companies surveyed admit to not making data security a top strategic initiative, and 55 per cent admit to securing only credit card information and not sensitive information such as Social Security numbers, driver’s licence numbers, and bank account details.
However, the survey also found that companies taking a strategic approach to PCI compliance have fewer data breaches. Based on these findings, Imperva is making specific recommendations to consumers, businesses and the PCI DSS Council to improve the safety of consumers’ personal information.
The PCI DSS standard was put into effect to provide security guidelines to all businesses that handle credit card information to better protect consumers. Since it was enacted in June 2005, the number of data breaches and amount of credit card fraud has continued to rise.
According to the survey of more than 500 U.S. and multinational IT security practitioners at companies with an average of $US5.6 billion in annual revenue:
* 71 per cent of respondents do not treat PCI as a strategic initiative, yet 79 per cent have experienced a data breach involving the loss or theft of credit card information.
* 55 per cent of respondents focus only on credit card data protection and do not attempt to secure sensitive information such as Social Security numbers, driver’s licence numbers, bank account details and other data about people and families.
* 60 per cent of respondents don’t think they have sufficient resources to comply with PCI and bring about a necessary level of cardholder security.
“Nobody is in business to be compliant. But there is a silver lining to this survey: if you protect consumers as required by the PCI DSS standard, there is an incredible opportunity to improve your overall security posture,” said Shlomo Kramer, Imperva’s CEO.
“Security departments are using PCI compliance as leverage to gain more budget, but these resources are not always translating into greater security for sensitive customer data,” said Larry Ponemon, chairman and founder, Ponemon Institute.
“The results of our study indicate that while some companies have figured out how to convert PCI standards into an overall security mandate—many more have not.”
Smaller businesses struggle the most
The survey found that only 28 per cent of smaller companies (501-1000 employees) comply with PCI as opposed to 70 per cent of larger companies (75,000 or more employees).
“Companies devote 35 per cent of their IT security budgets to PCI compliance on average, making cost a significant obstacle, especially for smaller companies,” explained Amichai Shulman, Imperva’s CTO. “This is why Imperva is recommending that the PCI DSS Council modify the requirements for larger and smaller companies to take into account different environments and security needs.”
“The PCI Security Standards and the card brands must update the PCI-DSS so that it’s risk-based, depending on the system configuration of the complying company. The ‘one size fits all’ approach of the current standard imposes unreasonable requirements on many companies that have simple networks, or have implemented security technologies that aren’t included in the PCI standards, but provide equal or greater levels of protection,” said Avivah Litan, Vice President and Distinguished Analyst with Gartner Research in a May 2009 report, “Moving Beyond PCI at Visa’s Global Security Summit.”
The PCI DSS standard has the potential to make a powerful impact to corporate IT security initiatives. The survey shows that 27 per cent of companies believe that PCI-DSS compliance is positively contributing to their organisations’ security posture and are taking a strategic approach to compliance.
In fact, companies that were fully PCI compliant had fewer breaches than those that were not compliant. However, the majority (73%) of respondents have achieved PCI compliance using a basic, checklist approach.
Imperva’s recommendations to consumers, businesses and the PCI DSS Council:
To coincide with the October 31st deadline for input on changing PCI-DSS standards, Imperva is providing recommendations to consumers, businesses and the PCI DSS Council.
For PCI-DSS Council
* Have a compliance logo for consumers. Today, companies can’t articulate their security efforts to consumers, and consumers are not aware of the compliance status of the retailers they do business with. As a consequence, companies cannot leverage their investment in PCI compliance to gain competitive advantage.
* * Modify compliance needs for larger and smaller companies. Smaller companies need to have a modified standard that takes into account different environments and security needs.
Consumer recommendations
Look for PCI compliant companies—In general, companies that were compliant suffered fewer breaches. Although compliance doesn’t guarantee perfect security, it helps the odds.
Business recommendations
* Use PCI to bring about a broader, more effective security program.
* Use PCI as a way to get senior management aware of and involved in IT security. PCI creates a business case that is tightly coupled to information security.
* Assign a clear champion who owns and drives PCI as well as security that is strongly empowered to direct numerous teams for support. Without a clear champion, security—and compliance—will suffer.
About The Ponemon Institute
The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries. Visit the Ponemon Institute at www.ponemon.org.
About Imperva
Imperva, the Data Security leader, enables a complete security lifecycle for business databases and the applications that use them. Over 4,500 of the world’s leading enterprises, government organizations, and managed service providers rely on Imperva to prevent sensitive data theft, protect against data breaches, secure applications, and ensure data confidentiality. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring from the database to the accountable application user and is recognized for its overall ease of management and deployment. For more information, visit www.imperva.com.
