A check-list approach to compliance with the Payment Card Industry Data Security Standard (PCI DSS) is exposing thousands of consumers to personal data breaches, a survey has revealed.
But according to analysts, that risk is greater among smaller businesses.
This is backed up by the survey of 500 IT security managers at US and multinational companies by the Ponemon Institute.
The survey found that only 28% of businesses with fewer than 1,000 staff are PCI DSS-compliant, compared with 70% of larger companies.
The main reason for the discrepancy is simply that smaller businesses have fewer staff and smaller budgets, says Rob Rachwald, director of corporate communications at security firm Imperva.
A lack of resources was cited by 60% of survey respondents for failing to comply with PCI DSS.
The study also found that companies devote 35% of their IT security budgets to PCI compliance on average.
This makes cost a significant obstacle to achieving PCI compliance, especially for smaller companies, says Rachwald.
For this reason, many smaller companies do not even attempt PCI compliance and consequently have low levels of security in place, he says.
The PCI DSS Council that governs the standard needs make allowances for that fact that smaller businesses have neither the resources nor the needs of larger companies, says Rachwald.
PCI compliance is seen as a costly burden and IT managers in smaller organisations find it difficult to build a solid business case for investing in it, he says.
Avivah Litan, vice-president at analyst firm Gartner, recommended that the PCI DSS Council adopts a risk-based approach to the standard.
The one-size fits all approach of the current standard imposes unreasonable requirements on many companies that have simple networks, she says in a research paper published in May.
Achieving compliance is also difficult for companies that have implemented effective security technologies that are not included in the PCI standard, she says.
It would make more sense for the PCI DSS Council to publish a new set of requirements for smaller businesses that will meet the reduced risk profile and cost less to achieve, says Rachwald.
Imperva is to make this recommendation to the PCI DSS council ahead of the 31 October deadline for submissions on updating the standard.
A more appropriate and more easily achievable standard will encourage more smaller businesses to work towards compliance and raise their levels of card data security, says Rachwald.
Achieving a risk-based standard would ensure a much higher level of security than failing or not even attempting to achieve the current standard that is not tailored for smaller business, he says.
Imperva is also recommending the introduction of a PCI DSS logo in its submission.
Businesses could display the logo on their websites to prove they have a reasonable level of card security in place to assure and attract customers, says Rachwald.
This would have the effect of giving PCI-compliant businesses a competitive edge and make it far easier for IT security managers to make the business case for achieving certification, he says.
Having a logo will give organisations something to rally behind, which will make PCI-compliance much stronger and more meaningful, says Rachwald.