Many businesses are more concerned about complying with the Payment Card Industry Data Security Standard (PCI DSS) than about actually protecting sensitive data.
Over 40% of businesses that meet PCI DSS compliance rely too heavily on temporary controls, according research.
The research, which looked at PCI DSS compliance from the perspective of qualified security assessors (QSAs) and was conducted by Ponemon Institute for security supplier Thales, concluded that 41% of businesses would fail their PCI DSS compliance if they were not allowed to rely on "temporary compensating controls".
Larry Ponemon, chairman and founder of Ponemon Institute, said: "This study indicates a significant concern among QSAs that many merchants are primarily focused on complying with PCI and less on what should be equally important - protecting sensitive information."
Other findings of the research include:
- QSAs find the most difficult requirement to meet is restricting access to cardholder data on a business-driven need-to-know basis, which they believe is the most important part in achieving PCI DSS compliance.
- QSAs find the most significant threats to card data come from merchant networks and databases containing cardholder data.
- 60% of QSAs believe encryption is the most effective means to protect card data from the moment it is accepted at the point of sale to when the transaction is authorised.