That key finding comes from a new survey of 670 IT security practitioners conducted by Ponemon Institute and sponsored by data security vendor Imperva.
PCI may have an image problem. According to the study, 50% of security professionals view PCI as a burden, and 59% don't think it helps them improve security. Furthermore, comparing this study with the inaugural one conducted in 2009, the number of respondents who said they had sufficient resources to comply with PCI dropped from 40% to 38%.
In addition, Ponemon also found that the number of organizations that had experienced a data breach in the past two years increased from 79% in 2009 to 85% in 2011. Companies reporting that they'd experienced between two and five data breaches in the past 24 months also jumped from 30% to 41%. Furthermore, 39% of all breaches, the study found, involved cardholder data.
Companies that were not in compliance with PCI experienced more data breaches. For example, while 64% of PCI-compliant companies experienced no data breaches in the past two years, only 38% of non-compliant companies didn't experience a data breach.
Interestingly, the survey found no strong correlation between PCI-related expenditures and compliance levels. "In a somewhat counter-intuitive manner, those organizations [that] suffered no breaches are not necessarily those who spent the biggest budget," said Rob Rachwald, Imperva's director of security strategy, on the company's blog.
Looking at the overall survey results, Rachwald said one takeaway is that "PCI is very effective in reducing breaches but it seems many companies don't believe it."
But why are so many companies allowed to not comply with PCI? That fact lends fuel to a regular criticism of PCI, which is that it's little more than a face-saving exercise for credit card brands. If a company is breached, and credit card data stolen, then the credit card brands can blame the merchant for not complying fully with PCI, even if it passed an audit.
That raises the question: Is PCI worth it? The issue of how and why companies spend money on standards such as PCI is contentious, in part because it begs the question of whether organizations are focused on passing their compliance exam, or on improving security to the point where the company will naturally pass its compliance exam. The latter approach does little to effectively protect cardholder data.
"The number-one thing that scares me isn't the latest attack, or the smartest guy in the street, it's security by compliance, for example with PCI," John P. Pironti, president of risk and information security consulting firm IP Architects, said in an interview. Security by compliance, he said, doesn't do a company any favors, especially because attackers can reverse-engineer the minimum security requirements dictated by a standard to look for holes in a company's defense. In that case, does a little compliance create a false sense of security?