Title: 2011 PCI DSS Compliance Trends Study - Ponemon Institute
Date: 04/29/11
Business Activities: Security - Administrative Safeguards, Security - Technical Safeguards
Impact to Subscriber:

The percentage of data breaches reported increased over the past 24 months (from 79% in 2009 to 85% in 2011) with the largest increase concerning companies that reported two to five incidents (41% in 2011, up from 30% in 2009); the majority of organizations experienced data breaches that were not limited to cardholder data (55%). Half of respondents were unclear as to the impact of PCI DSS compliance, but more organizations are fully compliant with PCI DSS now than they were in 2009; increased compliance has resulted in fewer data breaches, where 2 or more incidents were experienced, for organizations that are PCI DSS compliant (38%) compared to those which are non-compliant (78%) - however, for companies experiencing only 1 breach, compliant companies had a higher number of breaches than those which were non-compliant (43% versus 14%). Despite an increase in compliance, respondents' perception of PCI DSS has declined, with 50% claiming that their organization views PCI DSS as a burden; compliance requirements that were most difficult to implement include restricting access to confidential data to a need-to-know basis, developing and maintaining secure systems and applications, and protecting stored confidential data. Locations presenting the most serious threats to cardholder data include networks controlled by merchants, databases controlled by merchants, and paper documents and to protect against threats, organizations are spending more on their IT security and PCI DSS compliance budgets, and implementing endpoint encryption solutions, anti-virus and anti-malware, and web application firewalls.
Authority:
Risk Guidance:
Control Guidance:

Relevance:
Background Facts:
  • the 2011 PCI DSS Compliance Trends Study (also conducted in 2009):
    • by the Ponemon Institute, and sponsored by Imperva,  was conducted to determine if PCI DSS compliance improves organizational security:
      • i.e. how the move to comply with PCI DSS affects organization's strategy, tactics and approach to achieving enterprise data protection and security.
    • surveyed a total of 670 US and multinational IT and IT security practitioners, who are involved in their companies’ PCI DSS compliance efforts, in the following:
      • jurisdictions:
        • United States;
        • Canada;
        • EMEA;
        • Asia-Pacific; and
        • Latin America (including Mexico).
      • sectors:
        • financial services;
        • public sector;
        • healthcare;
        • retailing;
        • industrial;
        • education & research;
        • technology & software;
        • communications;
        • energy & utilities;
        • services;
        • consumer products;
        • hospitality;
        • pharmaceuticals;
        • transportation; and
        • other.



Relevance to Business Activities:   

  • security - administrative and technical safeguards considerations:
    • data breach experience including those involving cardholder data from 2009 to 2011 (24 month period):
      • overall, the percentage of respondents reporting that their organization had a data breach in the past 24 months increased from 79% in 2009 to 85% in 2011:Risk
        • number of data breaches:
          • none:
            • 2011 - 15%; and
            • 2009 - 21%.
          • one incident:
            • 2011 - 33%; and
            • 2009 - 38%.
          • two to five incidents:
            • 2011 - 41%; and
            • 2009 - 30%.
          • more than five incidents:
            • 2011 - 11%; and
            • 2009 - 11%.
    • data breach incidents involving only cardholder data over the past 24 months:Risk
      • none - 55%;
      • 1 incident - 30%;
      • 2 to 5 incidents - 6%; and
      • more than 5 incidents - 0%.
    • perceived impact of PCI DSS on data breach experience:
      • yes - 12%;
      • no - 38%; and
      • unsure - 50%.
    • PCI DSS compliance experience in 2009 and 2011 studies:
      • not compliant:Risk
        • 2011 - 16%; and
        • 2009 - 25%.
      • only some applications and databases are compliant:Risk
        • 2011 - 18%; and
        • 2009- 25%.
      • most applications and databases are compliant:
        • 2011 - 33%; and
        • 2009 - 28%.
      • all applications and databases are compliant (fully compliant):Control
        • 2011 - 33%; and
        • 2009 - 22%.
    • data breach experience for compliant and non-compliant groups:
      • none:
        • compliant - 18%; and
        • non-compliant - 8%.
      • 1 incident:
        • compliant - 43%; and
        • non-compliant - 14%.
      • 2 to more incidents:
        • compliant - 38%; and
        • non-compliant - 78%.
    • data breach of cardholder data for compliant and non-compliant groups:
      • compliant - 64%; and
      • non-compliant - 38%.
    • organizations that do not store primary account numbers ("PAN") are less likely to experience the loss or theft of cardholder data:Control
      • does the organization retain and store PAN:
        • yes - 66%; and
        • no - 34%.
      • reasons why the organization retains and stores PAN:
        • customer service - 52%;
        • card reuse - 49%;
        • charge backs - 45%;
        • recurring subscriptions - 31%;
        • marketing analytics - 19%; and
        • other - 3%.
      • percentage of respondents' companies that did not experience a data breach involving cardholder data:
        • companies that retain PAN - 40%; and
        • companies that do not retain PAN - 85%.
    • PCI DSS contributes about the same or more value than other security expenditures made:
      • relative value of PCI DSS compliance expenditures - PCI DSS compliance contributes:
        • more value - 33%;
        • about the same value - 35%; and
        • less value - 32%.
    • extrapolated IT security budget and spending on PCI DSS compliance:
      • extrapolated value of the IT security budget:
        • 2011 - $14.64 million; and
        • 2009 - $14.27 million.
      • extrapolated value of PCI DSS compliance:
        • 2011 - $5.55 million; and
        • 2009 - $5.05 million.
    • value propositions for PCI DSS compliance:
      • improves our organization’s relationship with key business partners:Control
        • 2011 - 66%; and
        • 2009 - 64%.
      • helps secure more funding for IT security:Control
        • 2011 - 59%; and
        • 2009 - 63%.
      • improves our organization’s data security posture:Control
        • 2011 - 39%; and
        • 2009 - 45%.
      • heightens awareness among C-levels within our organization:Control
        • 2011 - 35%; and
        • 2009 - 33%.
      • improves our organization’s marketplace brand and reputation:Control
        • 2011 - 19%; and
        • 2009 - 21%.
    • respondents' perception about compliance with PCI DSS has declined:
      • my organization views PCI DSS as a burden (not included in 2009 survey) - 50%;Risk
      • my organization’s CEO is a strong supporter of PCI DSS compliance efforts:Control
        • 2011 - 45%; and
        • 2009 - 45%.
      • my organization is proactive in managing privacy and data protection risks:Control
        • 2011 - 44%; and
        • 2009 - 48%.
      • compliance with PCI DSS improves our organization’s data security:Control
        • 2011 - 41%; and
        • 2009 - 44%.
      • my organization has sufficient resources to achieve compliance with PCI DSS:Control
        • 2011 - 38%; and
        • 2009 - 40%.
      • my organization views data security as a strategic initiative across the enterprise:Control
        • 2011 - 25%; and
        • 2009 - 29%.
    • data breach experience for respondents in the favorable and unfavorable perception of PCI DSS groups:
      • favorable view:
        • less than 2 incidents - 60%; and
        • 2 or more incidents - 40%.
      • unfavorable view:
        • less than 2 incidents - 24%; and
        • 2 or more incidents - 76%.
    • the PCI DSS   requirements that are difficult to comply with:
      • restrict access to confidential data by need-to-know only:Control
        • most difficult - 49%; and
        • least difficult - 7%.
      • develop and maintain secure systems and applications:Control
        • most difficult - 45%; and
        • least difficult - 4%.
      • protect stored confidential data:Control
        • most difficult - 41%; and
        • least - difficult - 11%.
      • restrict physical access to confidential data:Control
        • most difficult - 32%; and
        • least difficult - 14%.
      • track and monitor all access to network resources and confidential data:Control
        • most difficult - 32%; and
        • least difficult - 17%.
      • encrypt transmission of confidential data across open, public networks:Control
        • most difficult - 28%; and
        • least difficult - 20%.
      • regularly test security systems and processes:Control
        • most difficult - 23%; and
        • least difficult - 12%.
      • use and regularly update anti-virus software:Control
        • most difficult - 21%; and
        • least difficult - 23%.
      • install and maintain a firewall configuration to protect confidential data:Control
        • most difficult - 13%; and
        • least difficult - 43%.
      • maintain a policy that addresses data security:Control
        • most difficult - 7%; and
        • least difficult - 50%.
      • assign a unique ID to each person with computer access:Control
        • most difficult - 4%;
        • least difficult - 46%.
      • do not use vendor-supplied defaults for passwords and other parameters:Control
        • most difficult - 4%; and
        • least difficult - 54%.
    •  parties responsible for ensuring PCI DSS compliance:
      • business unit leaders - 30%;
      • no one person - 17%;
      • CIO - 15%;
      • CISO - 14%;
      • legal - 13%;
      • IT compliance - 5%;
      • other - 3%; and
      • CTO - 3%.
    • parties responsible for PCI DSS compliance:
      • comparing groups that view PCI favorably and those that view it unfavorably:
        • legal:
          • favorable view - 4%; and
          • unfavorable view - 19%.
        • CISO:
          • favorable view - 8%; and
          • unfavorable view - 18%.
        • no one person:
          • favorable view - 11%; and
          • unfavorable view - 21%.
        • CIO:
          • favorable view - 24%and
          • unfavorable view - 9%.
        • business unit leader:
          • favorable view - 40%; and
          • unfavorable view - 23%.
    • location of the most serious threats with respect to cardholder data:
      • network controlled by merchants - 43%;Risk
      • databases controlled by merchants - 42%;Risk
      • paper documents - 29%;Risk
      • payment applications - 28%;Risk
      • unattended payment terminal devices - 21%;Risk
      • point of sale ("POS") device - 18%;Risk
      • payment processor networks - 14%;Risk and
      • other - 2%.
    • perceptions about the PCI quality assurance ("QA") program:
      • a QA quality assurance program is now in place and the organization conducted an audit or assessment by a bona fide QA professional - 58%;Control and
      • you believe the QA quality assurance program helps your organization achieve its PCI DSS compliance requirements or objectives - 68%.
    • respondents’ view on how the QA quality assurance program affects the security of cardholder data in their organization:
      • improves the protection of cardholder data - 60%;
      • has no affect on the protection of cardholder data - 32%; and
      • diminishes the protection of cardholder data - 8%.
    • respondents’ views on what can be done to improve the QA program:
      • reduce pass mark value - 51%;
      • increase number of scored items - 45%;
      • nothing - 40%;
      • change to peer-review QA program - 36%;
      • validate "correctness" of assessment along with form and process - 21%;
      • reduce number of scored items - 16%;
      • eliminate QA program - 14%; and
      • QA performed by independent third party - 12%.
    • movement toward endpoint encryption solutions:
      • organizations are moving toward endpoint encryption solutions and away from code review or debugging systems as technologies that enable compliance with PCI DSS:
        • technologies used by respondents' companies to achieve compliance with PCI DSS requirements:
          • endpoint encryption solution:Control
            • 2011 - 54%; and
            • 2009 - 40%.
          • anti-virus & anti-malware solution:Control
            • 2011 - 82%; and
            • 2009 -  73%.
          • web application firewalls ("WAF"):Control
            • 2011 - 50%; and
            • 2009 - 44%.
          • firewalls:Control
            • 2011 - 99%; and
            • 2009 - 93%.
          • identity & access management systems:Control
            • 2011 - 55%; and
            • 2009 - 50%.
          • correlation or event management systems ("SIEM"):Control
            • 2011- 36%; and
            • 2009 - 31%.
          • data loss prevention systems:Control
            • 2011 - 30%; and
            • 2009 - 28%.
          • database scanning and monitoring:Control
            • 2011 - 43%; and
            • 2009 - 42%.
          • website sniffer or crawlers:Control
            • 2011 - 8%; and
            • 2009 - 9%.
          • encryption for data at rest:Control
            • 2011 - 64%; and
            • 2009 - 65%.
          • encryption for data in motion:Control
            • 2011 - 63%; and
            • 2009 - 64%.
          • ID & credentialing system:Control
            • 2011 - 26%; and
            • 2009 - 27%.
          • traffic intelligence systems:Control
            • 2011 - 11%; and
            • 2009 - 13%.
          • access governance systems:Control
            • 2001 - 51%; and
            • 2009 - 55%.
          • perimeter or location surveillance systems:Control
            • 2011 - 29%; and
            • 2009 - 33%.
          • intrusion detection or prevention systems:Control
            • 2011 - 32%; and
            • 2009 - 37%.
          • virtual privacy network ("VPN"):Control
            • 2011 - 35%; and
            • 2009 - 40%.
          • code review or debugging systems:Control
            • 2011 - 50%; and
            • 2009 - 58%.
    • technologies used by respondents’ companies to achieve compliance with PCI DSS requirements:
      • 2011 data comparing compliant versus non-compliant organizations:
        • access governance systems:
          • compliant - 60%; and
          • non-compliant - 34%.
        • anti-virus & anti-malware solution:
          • compliant - 90%; and
          • non-compliant - 65%.
        • WAF:
          • compliant - 55%; and
          • non-compliant - 39%.
        • traffic intelligence systems:
          • compliant - 16%; and
          • non-compliant - 2%.
        • identity & access management systems:
          • compliant - 58%; and
          • non-compliant - 50%.
        • endpoint encryption solution:
          • compliant - 57%; and
          • non-compliant - 49%.
        • encryption for data in motion:
          • compliant - 66%; and
          • non-compliant - 58%.
        • correlation & SIEM:
          • compliant - 38%; and
          • non-compliant - 32%.
        • intrusion detection or prevention systems:
          • compliant - 34%; and
          • non-compliant - 28%.
        • ID & credentialing system:
          • compliant - 28%; and
          • non-compliant - 22%.
        • encryption for data at rest:
          • compliant - 66%; and
          • non-compliant - 61%.
    • conclusions:
      • overall, respondents are not as positive in this year’s study about how PCI DSS compliance can help strengthen their organization’s security posture:
        • compliant organizations are more successful in reducing data breaches, especially those breaches that involve cardholder data:
          • however, the findings also reveal that IT and IT security practitioners may not be aware of the positive impact compliance could have.Risk
        • there is very little buy-in and support from management despite the regulatory requirement;Risk
      • the challenge facing IT professionals is the need to make the business case for PCI DSS so that it becomes part of the company’s overall strategic initiative.Control
      • management may become more supportive of PCI as part of an enterprise-wide security initiative if its importance to the brand and reputation of the company could be demonstrated:
        • however, only 19% of IT and IT security practitioners believe PCI compliance is valuable to improving brand and market place reputation.
      • the 2009 study recommended that organizations display a logo showing they are PCI compliant to create customer awareness about the company's efforts to prevent credit card fraud;Control and
      • it is important to assign a clear champion who is accountable and responsible for both PCI DSS and the enterprise-wide security program:
        • this champion should be empowered to direct numerous cross-functional teams to ensure broad support for PCI:Control 
          • a goal of these teams will be to build a business case that results in the resources needed to ensure that PCI is an integral part of the company’s overall security initiative.Control


Source Document:
http://www.imperva.com/docs/AP_Ponemon_2011_PCI_DSS_Compliance_Trends_Study.pdf

Privacy Statement · Legal notice