Retail Technology
| Log in | Subscribe
Subscribe | Log in
Retail Technology
Subscribe

New research suggests PCI DSS compliant companies suffer fewer data breaches, yet most practitioners don’t believe regulation has positive effect

New research suggests PCI DSS compliant companies suffer fewer data breaches, yet most practitioners don’t believe regulation has positive effect

 

Consumer research organisation, The Ponemon Institute, and data security provider Imperva have announced the results of their second study on the impact of the Payment Card Industry’s (PCI) Data Security Standards (DSS).

 

The 2011 PCI DSS Compliance Trends Study surveyed 670 US and multinational IT security practitioners on how efforts to comply with PCI DSS affect data protection and security. This year’s report shows that, while the majority of PCI compliant organisations suffer fewer or no breaches, most practitioners still do not perceive PCI DSS to have a positive impact on data security.

 

Compliant organisations suffer fewer breaches

 

According to the study, 64% of PCI DSS compliant organisations reported suffering no data breaches involving credit card data over the past two years, while only 38% of non-compliant organisations reported suffering no breaches involving credit card data over the same period.

 

When it came to overall data breaches (i.e. general incidents or those involving credit card data), 63% of compliant organisations suffered no more than a single data breach, compared to 22% of non-compliant organisations. Notably, 26% of non-PCI compliant organisations suffered more than five breaches over the same time period.

 

“At the end of the day, we believe that PCI DSS is one of the most effective data security regulations today and can significantly help companies improve their data security posture,” said Amichai Shulman, co-founder and chief technology officer of Imperva. “Most companies who make an effort to comply with the standards are likely to suffer fewer breaches than those who don’t, period.”

 

PCI DSS perception is cynical

 

Despite evidence to the contrary, the study also found that 88% of respondents did not support the claim that PCI DSS compliance has a positive effect on the number of breaches experienced, and only 39% mentioned data security improvement as one of the regulation’s value propositions for business. In fact, only 33% believe that PCI DSS compliance expenditure is covered by the value it brings to organization.

 

“Looking at the figures regarding the actual decrease in data breaches and recent figures regarding the cost of data breaches, it seems that many practitioners have a much subverted perception of the value of PCI DSS compliance,” said Larry Ponemon, chairman and co-founder of the Ponemon Institute.

 

Nonetheless compliance is increasing

 

This year’s report also found that two-thirds of respondents have achieved substantial compliance with PCI DSS. In the 2009 PCI DSS Compliance Trends Study, the number of respondents who’d achieved similar levels of compliance was only half, and roughly 25% of respondents in 2009 had not achieved any level of compliance. Only 16% of organisations surveyed in 2011 had not achieved any level of PCI DSS by comparison.

 

“Over the past few years, most companies have matured in their understanding of the PCI mandate and have worked to meet strict compliance deadlines,” continued Shulman. “We believe this is one of the primary reasons we’ve seen an overall increase in compliance and also, we believe, a decline in the number of credit card-related data breaches.”

 

“In an era where governments are struggling with the creation of vague yet complex data protection acts, the credit card industry took a bold step towards regulating itself, using plain language, clear goals and a pragmatic focus,” said University of Connecticut School of Business Professor Robert Bird. “PCI isn't perfect – but it succeeded by imposing security mandates and forcing attention on data security - all without government regulation.”