Security practitioners unconvinced about PCI-DSS

Two thirds of compliant firms said no data breaches in two years

Most security practitioners do not believe the PCI-DSS standard has had a positive effect on information security, according to research from The Ponemon Institute and data security firm Imperva, even though the institute said PCI-DSS compliant companies suffer fewer data breaches.

The study considered the impact of the Payment Card Industry Data Security Standards. It saw 670 US and multinational IT security practitioners questioned on how efforts to comply with PCI-DSS affect an organisation's data protection and security.

The report said that while the majority of PCI-DSS compliant organisations suffer fewer or no breaches, most practitioners still do not perceive PCI-DSS to have had a positive impact on data security.

According to the study, 64 percent of PCI-DSS-compliant organisations reported suffering no data breaches involving credit card data over the past two years, while only 38 percent of non-compliant organisations reported suffering no breaches involving credit card data over the same period.

When it comes to overall data breaches (general incident or those involving credit card data), 63 percent of compliant organisations suffered no more than a single data breach, compared to 22 percent of non-compliant organisations.

Notably, 26 percent of non-compliant organisations suffered more than five breaches over the same time period.

"At the end of the day, we believe that PCI-DSS is one of the most effective data security regulations today and can significantly help companies improve their data security," said Amichai Shulman, CTO of Imperva. "Most companies who make an effort to comply with the standards are likely to suffer fewer breaches than those who don't."

Despite evidence to the contrary, the study also found that 88 percent of respondents did not support the claim that PCI-DSS compliance has a positive effect on the number of breaches experienced, and only 39 percent mentioned data security improvement as one of the regulation's benefits to business.

In fact, only 33 percent believe that PCI-DSS compliance expenditure is covered by the value it brings to an organisation.

"Looking at the figures regarding the actual decrease in data breaches and recent figures regarding the cost of data breaches, it seems that many practitioners have a very subverted perception of the value of PCI-DSS compliance," said Larry Ponemon, chairman of the Ponemon Institute.

In end user news, earlier this month it was reported that Endsleigh Insurance Services had improved its network log data management to help comply with PCI-DSS regulations.

The company deployed an integrated log management and security information and event management (SIEM) system from LogRhythm, to gain a unified view of the various security threats and operational issues affecting all parts of its network.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags careersIT managementImpervaIT Business

More about Imperva

Show Comments