NetIQ: Majority of companies are still failing to comply with PCI Data
July 2008 by NetIQ
A recent survey conducted by NetIQ, an Attachmate business, has revealed that 88% of organisations are still not compliant with the Payment Card Industry’s Data Security Standard DSS (PCI DSS), more than two years since it first became compulsory, and that the majority of respondents have no fixed timeframe for achieving compliance.
The research, carried out by NetIQ amongst 65 IT managers across Europe, reveals that while companies are working hard to meet the demands of the PCI DSS, the compliance requirements have proven much more difficult to meet than anticipated. Coming just weeks ahead of the June 30th deadline for PCI DSS 6.6 concerning security measures to protect web applications, the situation promises to become even more complex.
The findings reveal that 54% of respondents are unable to forecast when they will be fully compliant with the standard, which was originally introduced in January 2005 to help organisations enforce security management, policies, procedures, network architecture, software design and other critical protective measures. Only 12% of respondents were currently compliant and 17% of those that responded predicted that they would be compliant within six to twelve months.
The findings also show that European companies are some way behind their US counterparts in reaching compliance with 23% of participants in a similar survey of 300 US organisations stating that they are already PCI DSS compliant. However, as with Europe, a significant proportion of US organisations could not put a fixed date on completion with 44% still unsure of their timeline for becoming fully compliant.
The road to compliance is typically a long one, as 49% of those working toward compliance had been doing so for more than six months. This may be linked to the fact that 70% of respondents believe that the penalties for non-compliance will only occasionally be levied, and 23% believe that fines would ‘almost never’ be issued.
An overwhelming majority of respondents believe that the main threats to cardholder security now come from within the organisation, as 78% of respondents cited ‘insiders with access to data’ as the main threat ahead of ‘external attackers’ or ‘business partners.’
Adam Evans, senior security specialist for NetIQ comments: “Although companies have been working hard to achieve the PCI standards, compliance obviously eludes the majority of them and for many proves a long and arduous struggle. Tools like ours exist to ease the burden and speed up the process. Compliance represents a significant long-term commitment of resources, although the cost of a security breach and the subsequent damage to an organisation’s brand could be far greater – it’s a risk that’s not worth taking.”