Cisco has unveiled the results of a survey of 500 IT decision-makers regarding the PCI Data Security Standard (PCI DSS) 5 years after its introduction. Surprisingly positive, to me it demonstrates the value that increased awareness and applying the foundational basics of information security can have.
The survey included IT decision-makers involved in PCI-compliance programs from several industries, aiming to gauge adoption, uncover the costs and challenges associated with compliance, and measure adoption of certain technologies to better understand the approaches that organizations are taking to meet the requirements.
Key survey findings
- 70% of respondents feel their organization is more secure than if PCI compliance were not required.
- 87% believe PCI requirements are necessary for protecting cardholder data.
- Retail and financial services respondents both felt comfortable in their likelihood to pass an assessment of their PCI compliance.
- 67% of respondents anticipate spending on PCI compliance will increase in the next year, indicating positive executive and board buy-in.
- 60% of respondents suggested that PCI-compliance projects can drive other IT or network security projects.
- When asked to define specific challenges for implementing the PCI DSS requirements, educating employees on the proper handling of cardholder data was the single most highly recognized problem identified, at 43%.
- Updating antiquated systems was named by 32% of respondents.
- Of the 12 PCI requirements, the top 3 issues for achieving or maintaining compliance were;
- Tracking and monitoring access to network resources and cardholder data (37%),
- Developing and maintaining secure systems and applications (32% ),
- Protecting stored cardholder data (30%)
Adherence to PCI
Government fared better than other sectors on PCI assessments, but the vast majority of respondents are making strides in protecting their sensitive cardholder data.
- 78% passed their previous initial assessment.
- 85% believe they would currently pass an assessment.
- 85% of governmental organizations passed their initial assessment.
- 72% of health care organizations passed.
- More than 85% of respondents were aware of the clarifications and recommendations in the newly announced PCI DSS 2.0 standards.