In 2009, Ponemon Institute, with sponsorship from Imperva, conducted the first study to determine if IT and IT security practitioners believe PCI compliance improves organizational security and how it affects the ability to respond to security threats affecting payment account data.
In this study, 2011 PCI DSS Compliance Trends Study, we (Imperva and Ponemon) continue to examine how efforts to comply with PCI affects the organization’s strategy, tactics and approach to achieving enterprise data protection and security and how the state of PCI compliance has changed since the first study. We also consider the reactions of IT and IT security practitioners in different-sized organizations have about compliance with PCI.
A total of 670 US and multinational IT and IT security practitioners who are involved in their companies’ PCI compliance efforts were surveyed on the following topics:
What is the state of PCI DSS compliance in the organization?
Who is most responsible in an organization for ensuring compliance with PCI DSS requirements?
What technologies are preferred to achieve compliance with PCI DSS requirements?
Does PCI DSS contribute to a decline in data breaches?
Where are the greatest threats to the security of cardholder data located?
What is the value PCI DSS compliance provides to the organization?
This year’s report shows that:
55% of respondents say their organization’s data breach incident did not concern the loss or theft of cardholder data
39% say one of the data breach incidents involved cardholder data and 6% report two to five incidents involving cardholder data
The percentage of respondents reporting that their organization had a data breach in the past 24 months increased from 79% in 2009 to 85% in 2011
The majority of PCI compliant organizations suffer fewer or no breaches, most practitioners still do not perceive the mandate to have a positive impact on data security
About 64% of PCI-DSS compliant organizations reported suffering no data breaches involving credit card data over the past two years, while only 38 percent of non-compliant organizations reported suffering no breaches involving credit card data over the same period
Certain technologies are adopted more quickly than others to comply with PCI. For example, code review saw the biggest decline in adoption
The percentage of non-compliant companies decreased from 25% to 16%. Correspondingly, the percentage of fully compliant companies increased from 22% to 33%
38% of the compliant organizations say their organizations had two or more breaches in the past 24 months versus 78% of respondents in the non-compliant group
66% of respondents say their organizations retain and store primary account numbers for various reasons
33% of respondents see PCI DSS compliance costs as adding more value than other IT security expenditures. Another 35% say these expenditures are at about the same level of value. Finally, 32% see PCI DSS compliance costs as adding less value than other IT security expenditures made
58% of respondents say that their organization has conducted or is in the process of conducting an audit or assessment by a bona fide QSA professional. Of those who have completed such an audit or assessment, 68% say that it helped the organization achieve its PCI DSS compliance requirements