What the Survey Says is not good

Patrick Turiano |

April 26, 2011

In our reading we came across an interesting article that was published in InformationWeek. The article states that 67% of regulated companies are not in full compliance with the Payment Card Industry Data Security Standard.

Wait, what?

Most commonly known as PCI, the standard was put in place to protect cardholder data. So it’s baffling to see that more than half of the companies that should be in compliance are not.

The findings come through a survey in which 670 IT security practitioners were polled by the Ponemon Institute. The report was sponsored by data security vendor Imperva.

Also according to the survey, 50% of respondents stated that PCI is useless when it comes to improving security. Ouch!

This isn’t the first time the survey has been conducted. The first one came in 2009, and since then 2% less of responding companies have stated they do not have sufficient resources in place to comply with PCI.  The report also finds that 6% more respondents suffered a data breach in the last two years than they had in 2009 (85% compared to a previous 79%).

But what’s most alarming is that 41% of the survey’s respondents stated they had suffered between two and five breaches in the last two years. That’s up from 30% in 2009. Quite a jump.

What is not alarming is that many of the companies that were not in compliance witnessed at least one breach in the last two years. In the survey, 64% of companies that are compliant reported that they had not suffered a breach, conversely 38% that are not compliant reported they hadn’t suffered a breach. What happened to the other 62%?

While nothing is perfect, and that goes for PCI standards, these rules and regulations are put in place to protect organizations and tame those individuals that see cardholder data as a means to make quick cash.

The numbers within this report are a bit shocking to us, and we’d like to see how they compare to the next report in two years. We hope many of the respondents report they are seeing less breaches and are finding PCI to be more useful.