-
The problem with PCI is that its focus is on protecting acquirer and issuer cardholder data when outside any merchant it is so easy to skim a card or steal cardholder data and then commit fraud.
January 14
More than half of corporations plan to increase spending this year on payment-security compliance, while the task of educating employees on the proper methods for handling cardholder data remains a pesky challenge, new survey data released Jan. 12 suggest.
To measure corporations’ attitudes and actions regarding the Payment Card Industry data security standards, Cisco Systems Inc. conducted an online survey of 500 information-technology professionals at companies with at least 100 employees between Nov. 23 and Dec. 1.
Approximately half of the respondents, who were required to have direct involvement with their employers’ PCI-compliance efforts, said their companies had been involved with PCI compliance since the standard was introduced in 2006. Some 17% of respondents were classified as Level 1 merchants (processing 6 million or more Visa transactions annually), while 55% were Level 2 or 3 merchants (processing 20,000 to 6 million transactions annually). The rest processed fewer than 20,000 transactions annually.
Some 56% of respondents expected to “slightly” increase spending on PCI-compliance efforts this year, while 11% anticipated “dramatically” increasing spending, 7% expected to slightly decrease spending, and 1% expected to dramatically increase spending. One-fourth of respondents anticipated no change in PCI-compliance spending this year.
The amount organizations may spend this year on PCI compliance varied widely because of their scope and size, Fred Kost, Cisco director of security solutions, tells PaymentsSource. “Many organizations are finding that in order to remain in compliance they are going to spend somewhat more this year, which could range from adding new wireless-payment channels to upgrading core infrastructure,” he says.
One of the survey’s goals was to determine how various industries were coping with PCI compliance, Kost says. The individuals surveyed encompassed a broad variety of organizations, including retailers, government agencies, financial and educational institutions, and health care providers, he notes.
“The PCI standards have been around for several years, and while there is a perception that it’s mainly retailers who have to come to grips with this, in fact it cuts rather broadly across all types of industries,” Kost says.
Sixty-two percent of respondents said they had spent between $100,000 to more than $1 million on PCI compliance during the past five years, while 12% spent $50,000 to $1 million, 13% spent less than $50,000, 1% spent nothing and the rest were unsure.
One of the biggest hassles of complying with the PCI standard is educating employees on the proper handling of cardholder data, the survey found, with 43% of respondents citing that task as a “challenge.”
“Helping employees handle cardholder data properly is different for every company, but many organizations are constantly working to make employees aware of the risks of exposing cardholder data in everything from everyday processes to social media and other channels,” Kost says. “Education is an ongoing challenge.”
Other challenges respondents cited included upgrading antiquated systems to bring them into compliance (32%); the need to change business practices to meet compliance (29%) and the lack of adequate personnel (28%) or a budget (25%) to support compliance efforts.
Twenty-two of respondents cited a “lack of clarity” in the standard requirements as being a hassle, while 17% said a top challenge was “efficiently decreasing PCI scope using segmentation.” Sixteen percent of respondents said PCI compliance poses “no problems.”
Some 87% of respondents said they know about the clarifications and recommendations associated with the latest PCI standard announced in May (see story). http://www.paymentssource.com/news/pci-council-updates-pin-device-standard-3001695-1.html But 17% said they were “barely” aware of the new standards, and the remainder said they were not aware of them at all.
Among the PCI standard’s 12 requirements, 37% of respondents cited the need to track and monitor all access to network resources and cardholder data as causing the “most issues” for achieving or maintaining compliance. Some 32% of respondents said developing and maintaining secure systems and applications caused them the most issues, while 30% pointed to the need to protect stored cardholder data.
The requirement of not using vendor-supplied defaults for system passwords and other security parameters ranked last, with 13% of respondents citing it as causing the most headaches.
Some 60% of respondents said they are using so called “end-to-end” encryption to simplify PCI-compliance efforts and to possibly reduce the scope of their next PCI audit, while 20% said they either were not using full encryption or were unsure whether they were. Nine percent of respondents said they are using end-to-end encryption for other, unspecified reasons, and 11% said that while they were not yet using it, they were “thinking about it.”
Thirty-six percent of respondents said they foresee the eventual need to increase the number of virtual security appliances they use to ensure PCI compliance, such as firewalls, while 30% said they need to upgrade their company’s virtualization software, 21% said they need to increase the number of servers they use, and 21% said they must increase or change their data-storage design to remain in compliance. Some 18% anticipated no changes in their security environment, and 15% were not sure whether they did.
The majority of respondents, 85%, said they believe their companies would pass a PCI-security audit “today,” while 7% said they would not and 8% were unsure.
Seventy percent of respondents said PCI compliance makes their organizations “much more” or “slightly more” secure, while 15% said their organizations already followed the best security practices before the PCI security standards existed. Some 10% said PCI standards do not make an organization more secure; the remainder were unsure whether they did.
More than half of respondents, 51%, said PCI compliance was “burdensome but necessary,” while 36% said it was necessary and they did not mind dealing with it, and 8% said it was burdensome and unnecessary. Five percent said existing PCI security standards “don’t go far enough in protecting cardholder data,” according to the survey.
What do you think about this? Send us your feedback.
