A survey of Qualified Security Assessors (QSAs) on how businesses are dealing with the 12 mandatory requirements of the Payment Card Industry Security Standard (PCI DSS) contains a number of interesting nuggets. For example, according to assessors:
- The largest merchants spend an average of $225,000 just on auditor expenses to comply with PCI DSS standards.
- Only a tiny percentage of organizations fail a PCI audit (2%), but 41% rely on compensating controls, or mechanisms not related to the PCI DSS standard, to pass the audit.
- Restricting access to card data (Requirement No. 7) is the most important PCI DSS compliance requirement, but also the most difficult to achieve.
- Firewalls and encryption trump website sniffers, credentialing systems and intrusion detection/prevention systems for achieving compliance.
- Encryption is the best way to ensure end-to-end protection of card data (60%), but tokenization is gaining ground (35%).
QSAs are the certified auditors who validate PCI DSS compliance at large merchants and service providers. PCI DSS is the set of baseline security requirements introduced in 2006 for businesses that accept and process credit cards. The findings are from PCI DSS Trends 2010: QSA Insights Report.
But what is the message for IT security organizations in the survey?
Four years after the standard was introduced and many credit card security data breaches later, a great many businesses are still operating under the delusion that data security is something for the IT security detail to take care of, rather than a core business initiative.
In fact, according to assessors, while business units (40%) or legal departments (28%) most often own the budget for annual compliance assessments, IT security is most often responsible for ensuring compliance (30%). The organizations the assessors deal with are not making data security a strategic priority (42%); not proactively managing data prosaic and protection (51%); are overwhelmed by the cost of compliance (54%); and don’t believe PCI DSS compliance improves data security (44%).
Maybe it’s time to do the equivalent of what women did way back in the last century (burning bras) to make the business understand that data security is their business. IT security liberation!
A note on the survey: The 155 QSAs participating in the study were culled from 3,005 respondents who had to be certified or working toward a certification. On average, the QSAs surveyed had participated in eight PCI DSS assessments over the past 12 months. Some 59% of the assessments involved Tier 1 merchants and another 28% involved Tier 1 service providers, or the largest acceptors and processors of card transactions. (Tokenization refers to the process of replacing sensitive data with unique identification symbols that retain all the essential information without compromising its security; e.g., replacing all but the last four digits of your credit card number with alphanumeric symbols representing miscellaneous cardholder information and details about the current transaction.)