IMGCAP(1)]
Results of a recent study suggest that 55% of companies follow industry standards to protect customers' credit card numbers, but they do not apply data-security measures to customers' Social Security and driver's license numbers and bank account details.
The Poneman Institute LLC, a Traverse City, Mich.-based data-security research firm, and Imperva Inc., a Redwood Shores, Calif.-based provider of data-security services, surveyed approximately 500 U.S. companies online during the last week of August.
Nearly 80% of survey respondents said they have experienced a data breach involving the loss or theft of credit card information, but 71% said data security is not a "top" strategic initiative. Some 60% of those surveyed said they lack sufficient resources to comply with the Payment Card Industry Data Security Standard administered by the PCI Security Standards Council LLC.
Only 28% of smaller companies, those with 501 to 1,000 employees, said they comply with PCI standards. That compares with some 70% of larger companies with 75,000 or more employees who said they do.
Some 27% of all survey respondents said they are taking a "strategic" approach to PCI compliance, which is improving their data-security efforts. However, 73% of respondents said they use a basic "checklist" approach to achieve PCI compliance.
In advance of the PCI Council's Oct. 31 deadline for gathering information to help shape a new set of PCI standards to be released next year, Imperva has crafted a set of recommendations. It suggests that the PCI Council modify PCI security standards to suit smaller companies' resources and establish a logo to signal to consumers which companies are PCI-compliant.
Imperva also recommends that all companies should assign an executive to spearhead their PCI-compliance efforts and integrate PCI-compliance into general information-technology initiatives.
