Restricting access to cardholder data is the most difficult requirement for merchants to meet in Payment Card Industry Data Security Standard (PCI DSS) compliance audits.

Meanwhile, almost half of businesses would fail audits if they were unable to rely on temporary compensating controls, while two per cent of businesses outright fail compliance audits.

According to the PCI DSS Trends 2010 report on qualified security assessors (QSA) insights, conducted by the Ponemon Institute on behalf of Thales, QSAs believe that requirement seven (restricting access to cardholder data on a business-driven need-to-know basis) is the most important part in achieving PCI DSS compliance.

The report said that QSAs find the most significant threats to card data are in merchant networks and databases containing cardholder data. Speaking to SC Magazine, Larry Ponemon, chairman and founder of the Ponemon Institute, said that this was one of the most interesting points of the report, as there is a lot of concern about whether compliance leads to better security.

He said: “PCI should improve your position, but security is expensive and companies now need to spend on substantial security positions. With respect to the auditors, this is a substantial amount of money and there is a lot of resources needed to become compliant.

“It is expensive to lose data and a QSA will verify that technologies, such as encryption as a tool will solve the database problem with credit card information.”

Kevin Bocek, director of product marketing at Thales said that a data protection strategy is the most important factor for businesses, as it makes the work required to process and audit easier.

Franck Greverie, vice president and managing director for the information technology security activities of Thales, said: “Protecting customer and business data is top priority for every organisation, but demonstrating compliance does not inherently translate into data security.

“Hopefully the results of this survey will help merchants better understand how QSAs view PCI DSS requirements and what works best to achieve compliance. Ultimately this will save merchants time and money and, most importantly, protect their business bottom line.”