US organisations are broadly positive about the value of PCI compliance, with 70% arguing that they are more secure than they would be if the requirements were not in place, according to a Cisco-commissioned survey.
The survey, conducted by InsightExpress, saw 500 IT decision makers from finance, retail, healthcare, education and government organisations quizzed on attitudes to the payment security requirements.
The vast majority - 87% - say PCI requirements are necessary for protecting cardholder data. However, just over half say this is despite the rules being "burdensome", compared to 36% that do not mind dealing with them.
Respondents are also confident that they are meeting requirements, with 85% thinking they would pass an assessment taken now and 78% passing their last one.
Around two thirds expect that their organisation will increase spending on PCI compliance over the next year, indicating management "buy-in" argues Cisco. In addition, 60% of respondents suggested that PCI-compliance projects can drive other network or network security projects.
Despite the generally positive attitude, respondents still highlight PCI DSS challenges, notably the problem of educating employees on the proper handling of cardholder data, cited by 43%, and issues with updating antiquated systems, mentioned by 32%.
Respondents feel that of the 12 PCI requirements, tracking and monitoring all access to network resources and cardholder data (37%), developing and maintaining secure systems and applications (32%), and protecting stored cardholder data (30%) cause the most issues for achieving or maintaining compliance.
The survey also shows that many organisations are pushing ahead in areas not yet covered by PCI standards, particularly in relation to virtualisation and point-to-point encryption. Over half are satisfied with their current virtualisation security posture and 60% are already using P2P encryption. For financial services firms this rises to 70%.
Fred Kost, director, Security Solutions, Cisco, says: "This survey demonstrates that the PCI Council is being successful in communicating and getting the active participation and increased adoption of the PCI standards among stakeholders. The findings also suggest that organisations are increasingly aware of the benefits of compliance."
The results contrast with a March survey of UK firms, which found that the vast majority had yet to be certified as PCI DSS compliant, with a third unsure if they would meet an upcoming September deadline.
You can read the survey details here:
Download the document now 477.1 kb (PDF File)