The survey of 500 IT security decision makers across health care, finance, retail, education and government sectors found that most organizations have taken significant steps to become compliant with the standard. A majority of survey respondents were "very confident" they could pass an assessment today.
When asked about their sentiments regarding PCI compliance, 36 percent of respondents said it is not only necessary for protecting cardholder data, but that they don't mind dealing with it. Another 52 percent called the standard “burdensome but necessary.”
“They recognize there are security benefits to PCI compliance,” Fred Kost, director of security solutions at Cisco, told SCMagazineUS.com on Tuesday. “It's a good validation of the security controls and standards in place.”
According to the latest figures from Visa, 96 percent of level-one merchants, those that process more than six million transactions per year, and 95 percent of level-two merchants, those that process between one and six million transactions annually, have validated PCI compliance. The card brand, however, reports only "moderate" compliance for smaller retailers.
Eight percent of respondents to the Cisco survey said they believe the PCI standard is "burdensome and unnecessary," while another five percent said it doesn't go far enough to protect cardholder data.
Educating employees about the proper handling of cardholder data is the greatest challenge for achieving compliance, the survey found.
“The people and education is a big issue that maybe is more challenging to address than just putting a technology in place,” Kost said.
Needing to upgrade antiquated systems to bring them into compliance is the second greatest pain point, followed by having to change business practices, he said. Some of those polled by Cisco said they are not clear about what isrequired or lack the personnel or budget to supportcompliance efforts.
Dan Langin, a Kansas lawyer who advises clients on PCI compliance, told SCMagazineUS.com on Wednesday that organizations commonly have challenges with the step that requires they maintain a policy that addresses information security.
This requirement is somewhat objective and it can be difficult to determine whether the organization is actually in compliance, he said.
The cost to achieve PCI compliance is often tied to an organization's size, with larger companies spending more than their smaller counterparts, Kost said. Sixty-two percent of all respondents said they have spent at least $100,000 on compliance over the past five years.
Among the largest organizations with 10,000 or more employees, one-third have spent more than $1 million on PCI compliance in five years. Just seven percent of organizations with fewer than 500 employees have spent that much, according to the survey.
Langin said the number of complaints he has heard about compliance-related spending have “gone down significantly” over the last two to three years.
“Companies have come to know what to expect in terms of spending,” he said.
Most organizations plan to increase PCI compliance spending in 2011, with some organizations planning to invest in technologies that allow them to comply in virtualized environments, according to the survey.
Version 2.0 of the PCI standard, released in October, identifies virtual environments as “system components” that must be secured. Thirty-six percent of respondents said they plan to increase the number of virtual security appliances, such as firewalls and intrusion prevention systems, to meet PCI 2.0 compliance.
Overall, the vast majority of respondents said they are at least somewhat aware of the clarifications and recommendations included in the PCI 2.0 standard.
“The market is tacking very closely what the [PCI Security] Standards Council is saying and how it's evolving,” Kost said.
Meanwhile, 60 percent of respondents said they are using another emerging technology – point-to-point encryption (P2PE), sometimes referred to as end-to-end encryption – to simplify their compliance requirements. The technology, used to mask cardholder data from point-of-swipe through processing, could allow merchants to reduce their scope in complying with the PCI DSS.
