Organisations that comply with the payment card industry data security standard (PCI DSS) have far few data breaches, according to a study by a joint study by security firm Imperva and the Ponemon Institute.
The study found that in 2010, 99% of compliant organisations suffered no more than a single credit card related breach compared with 85% of non-compliant organisations, while 64% of compliant organisations had no breach at all compared with 38% of non-compliant organisations.
Only 1% of compliant organisations suffered more than one breach related to credit card data compared with 15% of non-compliant organisations, and 63% of compliant organisations suffered no more than a single breach overall compared with 22% of non-compliant, according to the 2011 PCI DSS Compliance Trends Study.
Only 3% of compliant organisations had more than 5 breaches, compared with 26% of non-compliant organisations.
Despite these results, only a third of respondents believe that PCI DSS compliance expenditure is covered by the value it brings to organization, says Amichai Shulman, chief technology officer at Imperva.
"Looking at the figures regarding the actual decrease in data breaches and recent figures regarding the cost of data breaches, it seems that many practitioners have a much subverted perception of the value of PCI-DSS compliance," he says.
But almost two thirds of respondents achieved substantial compliance with PCI compared with 50% in 2009, and only 16% of organisations have not achieved any level of PCI compliance compared with 25% in 2009.
"I think that this is due to a maturity and the PCI deadlines that occurred between 2009 and today," says Shulman.
The study shows a shift with respect to technologies that enable compliance with the use of web application firewalls (WAFs) going up 6 points and code review going down 8 points.
This is no surprise, says Shulman, as WAF has traditionally been considered to be more cost effective. "Being external, it is also enables faster response times in mitigating attacks," he says.
The study shows that those organisations that suffered no breaches are not necessarily those who spent the biggest budget.
"This proves our claim from the previous survey that achieving effective compliance greatly depends on finding cost-effective solutions rather than spending more money," says Shulman.
All too often, he says, organisations are engaged in PCI compliance for the wrong reason because they see it as an opportunity to increase the security budget.
Overall, the study shows that PCI DSS does work, says Shulman, and that if organisations invest in becoming compliant, it will have a positive effect on their security, reducing not only credit card breaches but all data breaches.
"Over the past few years, most companies have matured in their understanding of the PCI mandate and have worked to meet strict compliance deadlines," says Shulman.
"We believe this is one of the primary reasons we've seen an overall increase in compliance and also, we believe, a decline in the number of credit card-related data breaches."