Imperva and Ponemon 2011 PCI DSS Compliance Trends Study. Survey of IT & IT security practitioners in the U.S.
The Payment Card Industry Data Security Standard (PCI DSS) continues to be one of the most important regulations for all organizations that hold, process or exchange cardholder information.
In 2009, Ponemon Institute, with sponsorship from Imperva, conducted the first study to determine if IT and IT security practitioners believe PCI compliance improves organizational security and how it affects the ability to respond to security threats affecting payment account data.
In this study, 2011 PCI DSS Compliance Trends Study, we (Imperva and Ponemon) continue to examine how efforts to comply with PCI affects the organization’s strategy, tactics and approach to achieving enterprise data protection and security and how the state of PCI compliance has changed since the first study. We also consider the reactions of IT and IT security practitioners in different-sized organizations have about compliance with PCI.
A total of 670 US and multinational IT and IT security practitioners who are involved in their companies’ PCI compliance efforts were surveyed on the following topics:
- What is the state of PCI DSS compliance in the organization?
- Who is most responsible in an organization for ensuring compliance with PCI DSS requirements?
- What technologies are preferred to achieve compliance with PCI DSS requirements?
- Does PCI DSS contribute to a decline in data breaches?
- Where are the greatest threats to the security of cardholder data located?
- What is the value PCI DSS compliance provides to the organization?
This year’s report shows that:
- 55% of respondents say their organization’s data breach incident did not concern the loss or theft of cardholder data
- 39% say one of the data breach incidents involved cardholder data and 6% report two to five incidents involving cardholder data
- The percentage of respondents reporting that their organization had a data breach in the past 24 months increased from 79% in 2009 to 85% in 2011
- The majority of PCI compliant organizations suffer fewer or no breaches, most practitioners still do not perceive the mandate to have a positive impact on data security
- About 64% of PCI-DSS compliant organizations reported suffering no data breaches involving credit card data over the past two years, while only 38 percent of non-compliant organizations reported suffering no breaches involving credit card data over the same period
- Certain technologies are adopted more quickly than others to comply with PCI. For example, code review saw the biggest decline in adoption
- The percentage of non-compliant companies decreased from 25% to 16%. Correspondingly, the percentage of fully compliant companies increased from 22% to 33%
- 38% of the compliant organizations say their organizations had two or more breaches in the past 24 months versus 78% of respondents in the non-compliant group
- 66% of respondents say their organizations retain and store primary account numbers for various reasons
- 33% of respondents see PCI DSS compliance costs as adding more value than other IT security expenditures. Another 35% say these expenditures are at about the same level of value. Finally, 32% see PCI DSS compliance costs as adding less value than other IT security expenditures made
- 58% of respondents say that their organization has conducted or is in the process of conducting an audit or assessment by a bona fide QSA professional. Of those who have completed such an audit or assessment, 68% say that it helped the organization achieve its PCI DSS compliance requirements
Download the Imperva and Ponemon Report here