Companies are still struggling with data security despite regulatory rulings.
A survey by the Ponemon Institute and Imperva found that 71 per cent of companies do not treat PCI as a strategic initiative, yet 79 per cent have experienced a data breach.
The survey also found that companies taking a strategic approach to PCI compliance have fewer data breaches. It claimed that the PCI DSS standard has the potential to make a powerful impact to corporate IT security initiatives. Twenty-seven per cent of companies believe that compliance is positively contributing to their organisations' security posture and are taking a strategic approach to compliance.
Imperva CEO Shlomo Kramer, said: “Nobody is in business to be compliant. But there is a silver lining to this survey: if you protect consumers as required by the PCI DSS standard, there is an incredible opportunity to improve your overall security posture.”
Larry Ponemon, chairman and founder of the Ponemon Institute, said: “Security departments are using PCI compliance as leverage to gain more budget, but these resources are not always translating into greater security for sensitive customer data. The results of our study indicate that while some companies have figured out how to convert PCI standards into an overall security mandate—many more have not.”
The survey found that only 28 per cent of smaller companies (501-1,000 employees) comply with PCI, as opposed to 70 per cent of larger companies (75,000 or more employees). Imperva has made specific recommendations to consumers, businesses and the PCI DSS Council to improve the safety of consumers' personal information in advance of the 31st October deadline for input on changing PCI DSS standards.
Imperva CTO Amichai Shulman, said: “Imperva is recommending that the PCI DSS Council modify the requirements for larger and smaller companies to take into account different environments and security needs.
“Smaller companies should have smaller regulations, not be half compliant but different layers affect different deadlines. The remaining fact is that potential change is smaller, so there should be less requirements.
“The Heartland CEO said the assessors did not know what they were doing and there are variants and it is understandable as long as you have direct and simple criteria then the bare minimum is done. Use a firewall, anti-virus - small businesses do this, the council need to sit up and make more clear guidelines.”
Imperva's recommendations to consumers were to look for PCI compliant companies, although compliance does not guarantee perfect security, it helps the odds. For businesses it recommended using PCI to bring about a broader, more effective security program and as a way to get senior management aware of and involved in IT security. PCI creates a business case that is tightly coupled to information security, and a champion, who owns and drives PCI as well as security and is strongly empowered to direct numerous teams for support, should be appointed.
Imperva also recommended that the PCI DSS Council introduce a compliance logo for consumers and modify compliance needs for larger and smaller companies.