PCI DSS compliance a box ticking exercise


PCI DSS compliance a box ticking exercise

Karl Flinders

Many businesses are more concerned about complying with the Payment Card Industry Data Security Standard (PCI DSS) than about actually protecting sensitive data.

Over 40% of businesses that meet PCI DSS compliance rely too heavily on temporary controls, according research.

The research, which looked at PCI DSS compliance from the perspective of qualified security assessors (QSAs) and was conducted by Ponemon Institute for security supplier Thales, concluded that 41% of businesses would fail their PCI DSS compliance if they were not allowed to rely on "temporary compensating controls".

Larry Ponemon, chairman and founder of Ponemon Institute, said: "This study indicates a significant concern among QSAs that many merchants are primarily focused on complying with PCI and less on what should be equally important - protecting sensitive information."

Other findings of the research include:

  • QSAs find the most difficult requirement to meet is restricting access to cardholder data on a business-driven need-to-know basis, which they believe is the most important part in achieving PCI DSS compliance.
  • QSAs find the most significant threats to card data come from merchant networks and databases containing cardholder data.
  • 60% of QSAs believe encryption is the most effective means to protect card data from the moment it is accepted at the point of sale to when the transaction is authorised.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy