Wednesday, January 26, 2011
To gauge the state of the Payment Card Industry (PCI) Data Security Standard (DSS), Cisco Systems Inc. conducted a survey of 500 information technology (IT) professionals at U.S. businesses. The results show that most businesses view the PCI DSS in a positive light, but that the greatest challenge to achieving PCI compliance is the education of employees about proper data security procedures.
Seventy percent of survey respondents believe they are slightly more or much more secure by being PCI compliant. Additionally, 85 percent of IT professionals believe their organizations would pass PCI security assessments, and a combined 87 percent recognize that compliance is necessary.
According to the survey, the main stumbling block to achieving PCI compliance concerns employee education. Forty-three percent of respondents reported that educating employees on the proper handling of cardholder data was the main challenge; 32 percent said the biggest hurdle was upgrading antiquated systems to gain compliance.
Fred Kost, Marketing Director, Security Solutions for Cisco, said the most surprising finding from the survey was that the chief impediment to PCI compliance was a "people challenge," not a technological one. "I would have thought, given all the prescriptive guidance around PCI, that maybe people were having issues around technology," he said.
Another surprising outcome Kost pointed out was that no one PCI requirement out of the 12 dominated the "causing the most issues" question. Tracking and monitoring all access to network resources and cardholder data (Requirement 10) topped the list at 37 percent, while Requirement 6 (develop and maintain secure systems and applications) and Requirement 3 (protect stored cardholder data) came in at 32 and 30 percent, respectively.
The portion of respondents reporting challenges with the remaining nine requirements ranged from a high of 29 percent to a low of 13 percent. "There really wasn't one of the issues outstanding," Kost said. "It seemed to be a pretty balanced response."
To reflect the compliance experiences of a full spectrum of businesses, the survey engaged IT decision makers from Level 1 through Level 4 organizations and across five business sectors: health care, finance, retail, education and government.
When asked how much their enterprises had spent on PCI compliance in the last five years, 62 percent of respondents indicated they had spent at least $100,000. Additionally, a total of 67 percent said they would either increase PCI compliance spending dramatically (11 percent) or slightly (56 percent) in the next year.
The survey results also suggest that funding for PCI compliance is a driver for other IT projects related to network infrastructure and security. Sixty percent of respondents reported that PCI spending can drive budgets for other projects. Kost said the reason is that PCI "touches" many facets of organizational infrastructures, including wireless routing, switching and other technologies.
An additional finding was that 60 percent of respondents are using point-to-point encryption to simplify compliance efforts and as a possible way to reduce the scope of future assessments.
The survey also asked about the security around virtualized networks, an area that seems to be gaining in importance for businesses. More than a third of respondents said they needed to increase the number of virtual security appliances, such as firewalls and intrusion prevention systems, in order to comply with the PCI requirements. An additional 30 percent said they needed to strengthen their virtualization software using guidance from the PCI Security Standards Council and security solution vendors.
"They're saying they've virtualized resources that may have been physical," Kost said. "And they may have relied on physical security devices to protect those resources. Now that the resources are virtual, they may need to do greater segmentation and individual protection of some of them, so they're looking for some virtual security compliance to protect those environments."
The survey can be accessed at www.cisco.com/go/pci.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.