PCI is Reducing Data Breaches
Does PCI compliance actually help mitigate IT security risks? Why yes, yes it does.
The purpose of the payment card industry data security standards (PCI-DSS) is to help reduce the IT security risk.
According to a new 2010 PCI DSS Compliance Trends Study from the Ponemon Institute sponsored by security vendor Imperva, PCI-DSS is working. The study surveyed 670 security professionals about PCI-DSS compliance and data breaches and came up with some interesting results.
Among the key findings of the report is that PCI-DSS compliance does have a correlation to security. The study found that 64 percent of compliant organizations had no data breaches of credit card data over the last two years. In contrast, among non-PCI-DSS compliant organization only 38 percent were able to report that they suffered no data breaches involving credit card data.
While PCI-DSS is focused on the payment industry, compliance can help to reduce non-credit card data breaches, as well. The study found that 63 percent of PCI compliant organizations were hit by only one data breach at most. In contrast, 26 percent of non PCI compliant organizations were hit by five or more data breaches.
Though the data would seem to support the correlation between PCI-DSS compliance and improved security, that was not the general sentiment expressed by survey respondents. Only 33 percent of survey respondents indicated that costs related to PCI-DSS compliance brought value to their organizations.
Imperva's Director of Security Strategy, Rob Rachwald told InternetNews.com that he was surprised that PCI had a such a strong influence on reducing data breaches -- yet few companies recognized PCIs contributions.
"PCI is prescriptive and defines several precise technical requirements," Rachwald said. "Many organizations may feel that many of these specific steps are superfluous while not seeing the broader impact PCI has had on their security posture."
Another interesting trend to note is there were no mega breaches in 2010, which may in part be due to improved PCI compliance.
"In 2009, we saw Heartland and in 2008, we saw Hannaford and many other large breaches," Rachwald said. "But for now, the mega breach seems to have gone away, there are many factors here, including the arrest [and conviction] of Albert Gonzalez, but one cannot overlook the contribution PCI made to raising awareness for security."
PCI compliance overall has been on the rise according to the study. According to the reports, two-thirds of survey respondents were in compliance. In contrast, only half of the survey respondents in 2009 were in compliance. Only 16 percent of organizations surveyed in 2011 have not achieved any level of PCI-DSS by comparison
"The key to success is making software security a strategic initiative," Rachwald said. "Once executives realize, like Intels CEO observed, that 'security is the third pillar of business,' the frequency of breaches drops dramatically."