A new Payment Card Industry (PCI) survey finds that respondents anticipate significantly increased spending on PCI compliance this year, which should drive security-related budgets across numerous IT areas. The survey of 500 IT executives on what's happening as a result of the recent update to the 5-year-old PCI Data Security Standards (PCI DSS 2.0), conducted by InsightExpress on behalf of Cisco, also found that the majority of respondents believe their organizations are more secure than they would be if PCI compliance wasn't required.
The survey was intended to discover where the PCI industry is and what impact it will have on organizations and their IT expenditures, says Fred Kost, director, security solutions, at Cisco. Overall, the PCI Council has been successful in communicating and getting active participation and increased adoption of the PCI standards among stakeholders, he says, but more work is required.
A recent survey by Verizon finds that organizations struggle when they have to engage in continuous security activity, such as daily monitoring of logs, according to the business analysis of its PCI assessment clients. In addition, Verizon finds that organizations that had suffered data breaches of cardholder information performed dismally in terms of compliance with most PCI requirements.
Verizon also reported that about one-fifth of the organizations included in the analysis were found to be fully PCI-compliant in Verizon's Initial Report on Compliance (IROC), issued after the assessors' site visit.
Organizations performed woefully across all aspects of regularly testing security systems and processes, but failure to perform file integrity was the single greatest failure among the 150 or tests required across the PCI standard. The consistent theme across the non-compliance for tracking, monitoring and regular testing was the failure to apply security practices that require continuous activity.