1. Encryption is one of the most effective means for achieving compliance but questions arise on how to treat encrypted data in audits. It is believed that clarifications will be issued on the use of encryption and key management.
2. 41% of those surveyed believed tokenization will be included in the update as the technology to use to increase cardholder data security and reduce cost of compliance.
3. Tier 1 merchants are paying $122,000 more on average than Tier 2 merchants to do the same QSA assessments.
The Ponemon Institute, an information-management think tank, designed the survey to focus on identifying trends, recommendations and preferences of QSAs involved in PCI DSS compliance. Specifically, the survey questions focused on the background, experience, client observations, expected changes in PCI DSS, preferences on how to achieve compliance, and typical client recommendations. The results are available in this newly released report, sponsored by Thales entitled: PCI DSS Tends 2010: QSA Business Report. The report can be downloaded at www.thalesgroup.com/iss
"Our research continues to validate that 60 percent of QSAs believe encryption to be the most effective means to protect card data end-to-end, and 41 percent of QSAs said that controlling access to encryption keys is the most difficult key management task faced by clients using encryption. It remains clear that QSAs consider encryption to be one the best techniques merchants can use to keep information safe and comply with PCI requirements. The current version of the standard, however, is ambiguous about how exactly encrypted data should be treated in audits, so QSAs seem to be confident that the October 2010 update to PCI DSS will provide clarity," says Dr. Larry Ponemon, chairman and founder of The Ponemon Institute.
In addition to clarification about encryption and key management, the survey revealed that QSAs expect tokenization to be the new technology most likely included in the PCI DSS updadate. In 2009, The PCI Security Council commissioned a PricewaterhouseCoopers study to examine whether four emerging technologies showed potential to enhance data security and reduce compliance costs: tokenization, end-to-end encryption, virtual terminals and card management solutions. "41 percent of QSAs believe tokenization is the most likely of these technologies to be addressed in the PCI update, while 28 percent said end-to-end encryption is the most likely, 13 percent said virtual terminals and 9 percent said magnetic stripe imaging," continued Ponemon. "Only 11 percent of QSAs believe that none of the technologies considered will be included in the PCI DSS updates."
The research also revealed that on average, Tier 1 merchants pay about $122,000 more than Tier 2 merchants for QSA assessments. As uncovered in the previously issued QSA Insights Report, the average cost of an annual QSA audit—the fees paid to QSAs for assessment services—for Tier 1 merchants is about $225,000. The complete research results reveal that an annual assessment for Tier 2 merchants averages $103,000 and for Tier 1 service providers, such as large payment processors, the average cost of an annual on-site QSA assessment is $204,000.
"Complying with PCI DSS requirements is a great first step toward protecting cardholder information, but as new threats emerge and attacks become more sophisticated, it is important that PCI DSS and the technologies used to safeguard data evolve as well," says Franck Greverie, Vice President for the information technology security activities of Thales. "By offering merchants insight into the new requirements likely to be included in the PCI DSS update and the current solutions in the marketplace to address these risks, this survey enables organizations to deploy the necessary technologies before the update is issued to give them a head start to enhance compliance efforts and, most importantly, better protect sensitive cardholder data."
Dr Larry Ponemon of the Ponemon Institute, Tim Holman, QSA and Chief Technology Officer at Blackfoot UK, and Bryta Schulz of Thales will discuss the results of this survey at InfoSecurity Europe (27-29 April 2010, Earls Court, London) in a panel discussion entitled "Wrestling with PCI DSS Compliance - A Unique Look at Achieving Compliance From An Auditors' Perspective" (Tuesday, 27 April at 11:00 a.m.). Thales is available at Stand F35 at InfoSecurity Europe to provide additional information about the survey and to discuss other issues relating to your security needs. Attendees can also pickup their free copy of the new book, PCI Cardholder Data Protection for Dummies.