PCI DSS: Survey Results Reveal More Focus on Complying than Complaining
Recently, our country was up in arms over the new airport security requirements imposed by the Transportation and Security Agency. Travelers complained that new full-body scanners and pat-downs at airport security checkpoints were inconvenient and invasive, and major concern ensued that objectors to the new regulations would cause significant delays over the Thanksgiving holiday — the busiest travel time of the year. Grassroots groups were encouraging travelers to either refrain from flying or opt out of full-body scans and choose the more time-consuming pat-downs as a protest. Despite all the hoopla, the Thanksgiving travel rush was not impacted by the new laws. In fact, a recent CBS poll revealed that 4 out of 5 people support the new security measures.
We as individuals like to whine about laws and regulations that keep us safe, and the same can be said for organizations. As Cisco security team members, we have heard our share of customers grumble about regulatory compliance requirements such as HIPAA, SOX, and most recently the Payment Card Industry (PCI) Data Security Standards (DSS). These regulations can be, at times, cumbersome to deal with. Yet, when asked in a recent Cisco-commissioned survey about their sentiments on PCI compliance, organizations were largely positive and on board with PCI.
Cisco commissioned InsightExpress to survey IT decision makers involved with PCI compliance efforts across the health care, retail, education, government and financial sectors. The 500 survey respondents all work in the US, at organizations with 100 or more employees.
We found that 85% of respondents are comfortable with their existing network and security infrastructures and feel that they would pass PCI audits today. 70% of respondents feel their organizations are more secure than they would be if PCI compliance were not required and 87% indicated that they think PCI compliance is necessary. 67% of respondents anticipate that their spending on PCI compliance will increase in the next year and 60% of respondents said PCI can drive budget for other network or security-related projects.
What’s more, 87% of respondents are apparently keeping abreast of PCI requirements, in that they are aware of the clarifications and recommendations in the new PCI DSS version 2.0. And more specifically, organizations presumably anticipated the stipulations regarding virtualization in the new standard, as 95% of respondents are either completely or somewhat satisfied with their current virtualization security postures in light of the fact that virtual environments have been identified in the PCI 2.0 standard as “system components” that must be secured.
So, Mr. Organization — You like PCI compliance, you think it’s improving your overall security, you’re spending money on it and it’s helping generate budget for your other security projects. Then, why the complaining? The question really was, “What problems are you experiencing with regard to PCI compliance?” The top two answers were “educating employees on the proper handling of cardholder data” and “having to upgrade antiquated systems to bring them into compliance.” However, while organizations may struggle to upgrade equipment and educate workforces, perhaps PCI is just the impetus they need to embark upon these beneficial security efforts? Without laws, rules and regulations, how safe would any of us be? Without the recent California laws, I’d still be driving around half-focused on the road and half-focused on my smart phone in-hand.
While PCI compliance can be a challenging task, it is surmountable, and the PCI compliance requirements are for the most part reasonable. When asked in the survey, “Of the twelve PCI requirements, which do you feel cause the most issues for achieving or maintaining compliance? (select all that apply),” the response was fairly neutral. Each of the twelve was selected by fewer than 40%, and most by fewer than 30%. No major spikes, suggesting that no one requirement, if any, is particularly outlandish or overly burdensome.
The ultimate benefits of PCI compliance are obvious. Being compliant protects organizations from breaches of consumer credit card data that could cost the organizations thousands, millions, or even billions of dollars in data recovery, PR damage control, and lost business. Also, being PCI compliant allows merchants to offer assurance that it’s safe to conduct business with them. Just like a trip, it’s the getting there that’s hard. I don’t envy the IT security professional who has to track the handling of credit card information throughout a widely dispersed organization. However, I’m sure many of them would opt to walk through an airport body scanner… while juggling… blindfolded… if that were a quick solution to protecting credit card data.
Nobody wants to face a disaster, whether that’s a criminal on a plane or a breach of personal data. We like to push back against regulations but nobody can argue against safety, and organizations certainly cannot argue against protecting their customers and bottom lines. We like to publicly blow hot air but inside we all know the cold truth.