Firms failing to treat card data security seriously

Firms failing to treat card data security seriously

Businesses are putting customer credit card data at risk by failing to treat security as a top strategic initiative, according to a survey from the Ponemon Institute.

The survey - conducted for vendor Imperva - of over 500 IT security staff at US and multinational firms found 71% of companies do not treat PCI DSS as a strategic initiative despite the fact three quarters have been hit by a data breach.

Furthermore, 55% admit to only securing credit card data and not sensitive information such as Social Security and driver's license numbers or bank account details.

Money appears to be an important factor, with 60% of respondents saying they don't think they have sufficient resources to comply with PCI and bring about a necessary level of cardholder security.

Smaller companies are far less likely to be in compliance with PCI standards. The survey shows that only 28% of firms with 501 to 1000 employees comply as opposed to 70% of companies with over 75,000 staff.

The low levels of PCI compliance come despite the fact companies devote 35% of their IT security budgets to it.

"Security departments are using PCI compliance as leverage to gain more budget, but these resources are not always translating into greater security for sensitive customer data," says Larry Ponemon, chairman, Ponemon Institute.

Comments: (1)

A Finextra member
A Finextra member 23 September, 2009, 16:32Be the first to give this comment the thumbs up 0 likes

Whilst initial compliance to the Payment Card Industry (PCI) Data Security Standard (DSS) required organisations to demonstrate the existence of appropriate policies and procedures, now there is a clear need is for a detailed audit trail to provide evidence to PCI assessors that all policies and procedures have been diligently followed. It is typically during a second audit that companies can often get caught.

The fundamental problem is that IT system changes can very quickly take an organisation out of its compliant state and create security vulnerability. Therefore, without continuous monitoring and reporting, the compliance process becomes both resource intensive and potentially valueless. Why spend months achieving PCI DSS compliance only to slip out of compliance due to a system change within weeks?

In order to achieve a known and compliant state, organisations must put in place system infrastructure monitoring with change auditing to ensure compliance is sustained or what we call "achieved and maintained." Changes can then be assessed, and IT staff can be immediately alerted to any unauthorised changes that take place. This not only raises an alert if an organisation slips out of compliance but also ensures potential security weaknesses are flagged before a customer data compromise can occur.

Whilst the credit card associations are unwilling to provide information on non-compliance, behind closed doors, 2008 saw a record level of fines issued. Against this backdrop, continuous monitoring is key to sustaining compliance and minimising business risk.

Yours sincerely,

Andrew Heather
General Manager, EMEA