A check-list approach to compliance with thePayment Card Industry Data Security Standard (PCI DSS)is exposing thousands of consumers to personal data breaches, a
survey has revealed.
But according to analysts, that risk is greater among smaller
businesses.
This is backed up by the survey of 500 IT security managers at
US and multinational companies by the Ponemon Institute.
The survey found that only 28% of businesses with fewer than
1,000 staff are PCI DSS-compliant, compared with 70% of larger
companies.
The main reason for the discrepancy is simply that smaller
businesses have fewer staff and smaller budgets, says Rob Rachwald,
director of corporate communications at security firm Imperva.
A lack of resources was cited by 60% of survey respondents for
failing to comply with PCI DSS.
The study also found that companies devote 35% of their IT
security budgets to PCI compliance on average.
This makes cost a significant obstacle to achieving PCI
compliance, especially for smaller companies, says Rachwald.
For this reason, many smaller companies do not even attempt PCI
compliance and consequently have low levels of security in place,
he says.
The PCI DSS Council that governs the standard needs make
allowances for that fact that smaller businesses have neither the
resources nor the needs of larger companies, says Rachwald.
PCI compliance is seen as a costly burden and IT managers in
smaller organisations find it difficult to build a solid business
case for investing in it, he says.
Avivah Litan, vice-president at analyst firm Gartner,
recommended that the PCI DSS Council adopts a risk-based approach
to the standard.
The one-size fits all approach of the current standard imposes
unreasonable requirements on many companies that have simple
networks, she says in a research paper published in May.
Achieving compliance is also difficult for companies that have
implemented effective security technologies that are not included
in the PCI standard, she says.
It would make more sense for the PCI DSS Council to publish a
new set of requirements for smaller businesses that will meet the
reduced risk profile and cost less to achieve, says Rachwald.
Imperva is to make this recommendation to the PCI DSS council
ahead of the 31 October deadline for submissions on updating the
standard.
A more appropriate and more easily achievable standard will
encourage more smaller businesses to work towards compliance and
raise their levels of card data security, says Rachwald.
Achieving a risk-based standard would ensure a much higher level
of security than failing or not even attempting to achieve the
current standard that is not tailored for smaller business, he
says.
Imperva is also recommending the introduction of a PCI DSS logo
in its submission.
Businesses could display the logo on their websites to prove
they have a reasonable level of card security in place to assure
and attract customers, says Rachwald.
This would have the effect of giving PCI-compliant businesses a
competitive edge and make it far easier for IT security managers to
make the business case for achieving certification, he says.
Having a logo will give organisations something to rally behind,
which will make PCI-compliance much stronger and more meaningful,
says Rachwald.