Businesses' half-hearted efforts at compliance with
thepayment card industry data security standardmeans thousands of consumers are not fully protected from
data breaches, a survey has revealed.
Less than a third of businesses consider the payment card industry
data security standard (PCI DSS) a strategic initiative,
according to the
Ponemon
Institute survey of over 500 IT security managers.
Some 79% of US and multinational companies surveyed said they
had lost credit card information, yet only 29% use PCI DSS as part
of their security strategy.
Over half (55%) said they focus on protecting only credit card
data and do not attempt to secure other sensitive customer
information, the survey showed.
Companies typically spend 35% of their IT security budget on PCI
compliance, but this is not translating into greater data
security, says Larry Ponemon, chairman of the Ponemon
Institute.
The survey shows the PCI DSS is not being used to its fullest
effect, he said.
This is because most (73%) businesses are approaching
PCI-compliance using a basic checklist or tick-box
approach.
Only 27% of respondents said PCI compliance is positively
contributing to their organisation's security because they are
taking a strategic approach to compliance.
Businesses should use PCI to bring about a broader, more
effective security programme, said Amichai Shulman, chief
technology officer at
security firm Imperva.
IT security managers should use PCI compliance to get senior
management aware of and involved in IT security, he said.
PCI helps create a business case tightly coupled to information
security, said Shulman. But without executive support, compliance
and overall security will suffer, he said.
It is also important for businesses to assign a champion who
owns and drives PCI, to ensure that implementations are
successful.
This will ensure organisations have an effective security
strategy and will not suffer
data breaches as Heartland Payment Systems did, despite its PCI
compliance, said Shulman.
This is one of the biggest dangers of adopting a tick-box
approach instead of making compliance a key part of security
strategy, he said.