Businesses' half-hearted efforts at compliance with the payment card industry data security standard means thousands of consumers are not fully protected from data breaches, a survey has revealed.
Less than a third of businesses consider the payment card industry data security standard (PCI DSS) a strategic initiative, according to the Ponemon Institute survey of over 500 IT security managers.
Some 79% of US and multinational companies surveyed said they had lost credit card information, yet only 29% use PCI DSS as part of their security strategy.
Over half (55%) said they focus on protecting only credit card data and do not attempt to secure other sensitive customer information, the survey showed.
Companies typically spend 35% of their IT security budget on PCI compliance, but this is not translating into greater data security, says Larry Ponemon, chairman of the Ponemon Institute.
The survey shows the PCI DSS is not being used to its fullest effect, he said.
This is because most (73%) businesses are approaching PCI-compliance using a basic checklist or tick-box approach.
Only 27% of respondents said PCI compliance is positively contributing to their organisation's security because they are taking a strategic approach to compliance.
Businesses should use PCI to bring about a broader, more effective security programme, said Amichai Shulman, chief technology officer at security firm Imperva.
IT security managers should use PCI compliance to get senior management aware of and involved in IT security, he said.
PCI helps create a business case tightly coupled to information security, said Shulman. But without executive support, compliance and overall security will suffer, he said.
It is also important for businesses to assign a champion who owns and drives PCI, to ensure that implementations are successful.
This will ensure organisations have an effective security strategy and will not suffer data breaches as Heartland Payment Systems did, despite its PCI compliance, said Shulman.
This is one of the biggest dangers of adopting a tick-box approach instead of making compliance a key part of security strategy, he said.