Tel: +44 (0) 208 255 0777
Fax: +44 (0) 208 255 7511
Email: info@secon.co.uk
HOME
ABOUT US
SOLUTIONS
PARTNERS
SERVICES
TRAINING
CONTACT
CAREERS

 











news area


27 September 2007
With Key Deadlines Looming, Companies Embrace Risk Mitigation in PCI DSS Compliance Efforts

Research Reveals Protecting Credit Card Data has Become a High Priority for Businesses; Significant Challenges Still Exist, and Vary By Geographic Region, Industry

With initial deadlines for industry compliance set for September 30th, RSA, The Security Division of EMC (NYSE: EMC), today unveiled new data detailing the extent to which many businesses are struggling to meet the Payment Card Industry's (PCI) Data Security Standard (DSS) requirements. The findings appear in a commissioned study conducted by Forrester Consulting on behalf of RSA, entitled "The State of PCI Compliance."

A framework of best practices for any organization that collects, processes or stores credit card information, the PCI Data Security Standard is global in scope and designed to help ensure the security of credit card data throughout the information lifecycle. The study – which surveyed 677 organizations across the United States and Europe – revealed varying degrees of compliance, differing motivations to protect card data, and distinct business reasons for storing cardholder data based upon a merchant's geographic region and/or industry.

"Companies handling credit card data face unprecedented levels of accountability – and responsibility – for securing that information. While many have defined a compelling business reason to keep credit card data, these organizations then face the significant challenges – organizationally and technologically – of protecting the information," said Jim Melvin, vice president, Marketing & Security Solutions at RSA. "However the study demonstrates that organizations are starting to look at credit card data protection initiatives in a more holistic fashion and trying to integrate card data protection initiatives with broader data security efforts."

Outlook for Achieving Compliance

Merchants are generally aware of the PCI DSS requirements, but compliance and the prioritization of credit card protection initiatives are largely dependent upon the number of credit card transactions a business processes each year. Within the context of the study, these merchants are defined as:

  • Level 1: Processing more than six million transactions (for a single card brand) per year
  • Level 2: Processing one million to six million transactions per year
  • Pre-Level 2: Processing 750,000 to 999,999 transactions per year

The data suggests that the higher the number of transactions an organization processes, the greater the priority it places on securing against credit card data breaches. Seventy two percent of Level 1 merchants said it was a "very high priority" while only 45 percent of Pre-Level 2 merchants defined protection initiatives in the same way. However, this may change in the near future, as more than half of the merchants surveyed plan on spending between two and four percent of their 2008 IT budgets on credit card data protection – an increase from 2007 budgets.

"It's clear that larger organizations are more mindful of the needs to protect cardholder data from security breaches," added Melvin. "As an industry, we have a responsibility to help educate smaller organizations to ensure they, too, recognize the value credit card data holds, and the need to protect it."

Compliance rates also vary across regions and industry. A majority of respondents based in the United States and United Kingdom plan on becoming PCI compliant within a year while the majority of respondents from Spain, France and Germany plan on taking more than a year.

What is Driving Businesses To Comply?

For merchants with higher transaction volumes, credit card data protection is a high priority, and risk mitigation is their primary driver. When asked about the current drivers for complying specifically with PCI, 49 percent said they wanted to mitigate the risk of a data security breach. Forty-three percent replied citing pressure from credit card companies as the top driver, followed by potential fines (37 percent), pressure from management (34 percent), pressure from acquiring banks (33 percent), the desire for "best practices" (23 percent), and pressure from customers and clients (20 percent).

The majority of merchants – 81 percent – do choose to store credit card numbers, while another 73 percent store credit card expiration dates. Further, many companies also continue to retain information that they are absolutely prohibited from storing:

  • 71 percent are storing credit card verification codes
  • 57 percent store customer data on credit cards' magnetic strips

And, the largest providers are the ones retaining credit card data. Ninety-four percent of the Level 1 respondents and 80 percent of the Level 2 respondents retain credit card numbers. Eighty-nine percent of Level 1 respondents retain credit card expiration dates, and 72 percent retain credit card verification codes versus 71 percent and 74 percent respectively of Level 2 respondents.

The reasons for keeping this card data vary by geography and size. Some examples:

  • 83 percent of Level 1 companies store card data for fraud analysis (versus 52 percent of other companies)
  • 80 percent of German respondents store card data as a unique customer identifier versus 65 percent of US respondents and 63 percent of UK respondents
  • 55 percent of the US companies surveyed store data for business intelligence or business analysis, as opposed to 31 percent of UK respondents and 39 percent of German respondents

"PCI DSS is very clear about forbidding the storage of sensitive authentication data, such as the full magnetic stripe and the PIN block -- and most merchants understand that continuing to retain this data will cause serious problems in their audit results," said Melvin. "However, in cases where it is necessary to store cardholder data for business operations, we need to educate merchants on how to develop and implement a process that is well-documented, justified and secured."

Barriers to Success

Businesses indicated a number of areas in which they face ongoing challenges in achieving compliance, centering on both technology and policy:

  • Current areas of non-compliance: 46 percent of respondents cited a lack of appropriate access management; 39 percent cited a lack of appropriate monitoring and testing; 36 percent cited a lack of appropriate infrastructure management; and 23 percent cited lack of credit card data protection controls (such as encryption)
  • Barriers to protecting card data: More than a quarter of the respondents pointed to data encryption and identity and access management as their largest hurdles to protecting credit card data. Other challenges included infrastructure (16 percent), system event monitoring (13 percent), policy enforcement (10 percent), and data discovery (6 percent)
  • Obstacles to controlling access to credit card data include the classification of the data itself, and the development of effective policies and procedures for access control

Businesses did indicate, though, that they are protecting credit card data, with data segregation and encryption continuing to be the dominant credit card data protection mechanisms. Seventy nine percent of respondents employ encryption to protect all credit card data in th



24 July 2008
Trend Micro Licenses Host Intrusion Defence Technology

08 July 2008
Frequently Asked Questions About The Celestix MSA Appliance

02 July 2008
Juniper Remote Access Technical Demonstration Day



      ©2004 Secon Solutions. All rights reserved.