Businesses are putting customer credit card data at risk by failing to treat security as a top strategic initiative, according to a survey from the Ponemon Institute.
The survey - conducted for vendor Imperva - of over 500 IT security staff at US and multinational firms found 71% of companies do not treat PCI DSS as a strategic initiative despite the fact three quarters have been hit by a data breach.
Furthermore, 55% admit to only securing credit card data and not sensitive information such as Social Security and driver's license numbers or bank account details.
Money appears to be an important factor, with 60% of respondents saying they don't think they have sufficient resources to comply with PCI and bring about a necessary level of cardholder security.
Smaller companies are far less likely to be in compliance with PCI standards. The survey shows that only 28% of firms with 501 to 1000 employees comply as opposed to 70% of companies with over 75,000 staff.
The low levels of PCI compliance come despite the fact companies devote 35% of their IT security budgets to it.
"Security departments are using PCI compliance as leverage to gain more budget, but these resources are not always translating into greater security for sensitive customer data," says Larry Ponemon, chairman, Ponemon Institute.