A chain is only as strong as its weakest
link, an old saying that has relevance in Payment Card Industry
Data Security Standard (PCI-DSS) compliance being driven by the
Payment Card Industry Security Standards Council but achieving far
from optimum results.
This unfortunate picture emerges from a study based on a survey
of 517 IT security practitioners which found compliance efforts at
almost three-quarters of the multinational companies for which they
work to be sadly wanting.
The study was conducted by the Ponemon
Institute, a non-profit organisation focused on data protection
practices, and sponsored by data security specialist Imperva to
determine if PCI-DSS compliance improves organisational
Summing up the dismal conclusions drawn from
the study its authors noted that respondents, all of whom are
involved in their companies’ PCI-DSS compliance efforts, in general
do not have “what could be considered a favourable view of their
company’s security posture.”
Probably the most disturbing finding was that
71 percent of respondents do not believe their company views data
security as a strategic initiative, despite 79 percent of
respondents reporting that their company had experienced a data
Of those reporting breaches, 48 percent had
experienced one breach, 38 percent between two and five breaches
and 14 percent more than five breaches.
While PCI-DSS compliance could be hoped to
remedy some corporate security inertia this does not appear to be
the case, with 60 percent of respondents reporting that they have
insufficient resources to comply with PCI-DSS and achieve required
levels of cardholder security.
“Cost is a significant obstacle, especially
for smaller companies,” stressed Imperva’s chief technology officer
This is reflected by the study which found
that compliance with PCI-DSS standards varies considerably among
companies, with 70 percent of large companies (75,000 or more
employees) compliant compared with only 28 percent of smaller
companies (501 to1000 employees).
On average, companies in the study spent about
a third of their IT budget on achieving PCI-DSS compliance. The
average IT security budget was about $15 million while the average
company had some $5 billion in annual revenue.
Shulman commented that to accommodate smaller
companies, the PCI-DSS Council should modify the requirements for
larger and smaller companies to take into account different
environments and security needs.
His comment echoed that expressed by research
firm Gartner Research vice president Avivah Litan in a report
published in May 2009, Moving Beyond PCI.
“The PCI Security Standards and the card
brands must update the PCI-DSS so that it’s risk-based, depending
on the system configuration of the complying company,” wrote
“The one-size-fits-all approach of the current
standard imposes unreasonable requirements on many companies that
have simple networks, or have implemented security technologies
that aren’t included in the PCI standards, but provide equal or
greater levels of protection.”