Merchants Warming Up To PCI

  /     /     /  
Publicated : 22/11/2024   Category : security

Merchants Warming Up To PCI


New surveys show more positive PCI perceptions, but PCI check-box era far from over, security experts say


Two new reports issued today -- one by Cisco Systems and the other by the National Retail Foundation (NRF) -- show PCI increasingly being perceived as a useful and effective security tool in the eyes of the businesses that must comply with it.
While half of the organizations surveyed by Cisco say PCI is a necessary burden, around 70 percent say it has made their organizations more secure, with 38 percent saying they are much more secure since complying with it, and 32 percent saying they are slightly more secure. Some 85 percent are confident they could pass a PCI audit right now.
The Cisco report also found more than half of the organizations use PCI compliance projects to drive or fund other network and security initiatives, and PCI spending will increase at most organizations this year.
Why such PCI optimism? It could be because most of the organizations in the Cisco survey have been working with PCI compliance for more than four years, and around half since its inception five years ago. Companies that have been doing PCI for four years are more likely to pass their assessments and more likely to think that they have security benefits from [PCI], says Rich Mogull, CEO of Securosis. Thats because they probably had minimal security before PCI, so of course they would come out optimistic.
Ciscos survey respondents are mostly primary decision-makers in their organizations (56 percent), nearly half of which are employed by businesses with 1,000 or more workers. Around 55 percent are Level 2 or Level 3 merchants, and 17 percent are Level 1.
PCI traditionally has been considered mostly a check-box item for organizations than a real security tool. A fall 2009
Ponemon Institute study of PCI DSS compliance
, commissioned by Imperva, found that only about 30 percent of the merchants took PCI security seriously. While nearly 80 percent of retailers and organizations that handle credit card transactions said they had been hit with a data breach, more than 70 percent still didnt consider security strategic to their operations.
Fred Kost, director of security solutions at Cisco, says the
survey
(PDF) shows businesses have made significant inroads in PCI compliance. Most feel they could pass an assessment today. The sentiment is very positive around PCI, he says.
The biggest shift is in how they view it -- not just as something they have to do and spend money on, but that PCI is actually making their networks and infrastructure more secure. Its making a difference. We also found that PCI compliance and funding are now driving other [security] projects, Kost says.
But dont mistake all of this feel-good sentiment about PCI as a sign businesses are embracing without any trouble. The check-box phase is not over, Securosis Mogull says. Most organizations are still struggling with it, he says. The more companies are aware of PCI and passing their assessments, of course they are going to feel more secure.
Ciscos Kost, meanwhile, sees it differently. Seventy percent said they feel more secure with PCI, he says. That says this is not a mandate for a checkbox item ... It speaks to the good work of PCI.
But the story is different when it comes to many small businesses, which, according to the NRF study, are still on a big learning curve when it comes to PCI. While 86 percent of the respondents (most of which transact less than $500,000 in payment card sales annually) in that survey say they care about keeping customer card data locked down and consider this important to their business, 64 percent say they are not vulnerable to credit or debit-card theft.
Two-thirds say they are aware of PCI DSS, but less than half have performed a PCI self-assessment, and 42 percent who are in the know about PCI say they didnt realize merchants have to do these surveys annually. Many dont understand liability in a data breach: More than 60 percent didnt know credit card companies can fine them for every card they have to cancel if the merchant ends up the source of the breach.
Educating employees on proper handling of cardholder data is still problematic in many organizations, the Cisco report found. Some 43 percent ranked that as one of their main challenges with PCI, followed by upgrading systems to meet compliance (32 percent), changing business practices to meet compliance (29 percent), lack of staffing to support PCI efforts (28 percent), and lack of budget for PCI (25 percent).
One of the biggest challenges is educating employees around PCI in the proper handling of cardholder information. You can encrypt, segment, and [protect] networks, but the employee is often the weakest link if they see that information, Kost says.
PCI compliance is a good baseline, but compliance still doesnt equal security. Being compliant doesnt mean youre secure, he says.
Says Securosis Mogull: Its there to protect credit [and debit] card numbers -- nothing else. Its not going to stop all kinds of attacks, but its a good baseline.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Merchants Warming Up To PCI