Most businesses confident they properly secure their credit card data

Cisco surveyed over 500 businesses about their PCI experiences. Some surprises for sure

In one of the most comprehensive PCI related surveys ever completed we find some very interesting results. This Cisco commissioned survey of 500 U.S. based companies asked IT decision makers questions around their PCI compliance efforts. The survey covers a broad scope of verticals such as healthcare, retail, education, government and financial sectors. Over 22% of the businesses surveyed had over 10,000 employees and 49% were over 1000 employees in size. Over 43% of those surveyed were either a level 1 or level 2 merchant. Additionally, only businesses with 100 or more employees were included in the sample size.

With this type of sample size the results of the survey should provide a good look at how the majority of PCI in scope businesses view PCI compliance. Here are the results that I found most interesting and in some cases downright amazing.

85% of those surveyed said that they comfortable with their existing network infrastructure passing a PCI audit if done today. That is a staggeringly high number and came as a surprise to me. This indicates that those responsible for compliance at these companies feel that not only can they pass an audit once a year, but are also confident that they have the processes in place to be able to maintain their security posture so they can pass a spot check PCI audit. This result differs significantly from what I would have predicted it to be. But when we dig in deeper, we see that 60% of those surveyed have never had to pass a PCI audit done by a Qualified Security Assessor (QSA). Instead, they have been doing a self-assessment questionnaire audit. Very interesting.

70% said that becoming PCI compliant has made their company more secure. 15% said that they already did what PCI recommended and 10% said PCI does not make them more secure. Additionally, 67% said that they will be increasing spending for PCI compliance in the next year with only 1% saying their spending will decrease dramatically. I found it very interesting that these numbers between making them more secure and increased spending for next year lined up so nicely. It was also a surprise that 10% of folks thought that PCI did not make them more secure. How that can be true I'm scratching my head on.

Only 13% of those surveyed said that their general sentiment regarding PCI was negative in nature. With all of the grumbling about PCI I've heard over the years this is not only surprising but great news. It means that most agree that yeah it’s a burden but it's worth doing.

Only 14% said they were not versed in the new PCI 2.0 standard changes. This is unexpectedly high and also great news. I think it speaks to the excellent marketing and education that the PCI council and the PCI community have done around PCI 2.0.

There are of course many other questions and results on the Cisco PCI survey so be sure to check it out for yourself here
http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/ns625/...

If you have any PCI or survey questions please post them

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Google Nexus One vs. Top 10 Phone Security Requirements
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>

Go to Jamey’s Blog for more articles on security.

• Cisco
• Security
• Compliance
• cisco pci
• compliance
• compliance survey
• Heary
• Jamey Heary
• PCI
• pci survey
• security