Credit-card security standards questioned, survey says

Most IT security professionals who must comply with the industry standards to protect credit card data think those standards have no impact at all on actual security, according to new study by Ponemon Institute.

10 of the Worst Moments in Network Security History

And they say the main benefit of meeting the standards isn't better security, its better relationships with business partners who regard payment card industry (PCI) compliance as an easy-to-read sign that businesses are paying attention to protecting the personal data of people who use credit cards, the study says.

"PCI does not necessarily mean better security within the hearts and minds of respondents," says Larry Ponemon who conducted "PCI DSS Compliance Survey" for Imperva, which makes database and Web application security products.

Overall, 57% of respondents feel that PCI standards have no impact on a set of 25 security objectives that they were asked about, the survey says. Those objectives are a list created by the Ponemon Institute as a way to make high-level comparisons of data security among different organizations.

The benefit of PCI compliance cited most often by the IT security pros polled was that it improves relationships with business partners, not that it made data more secure. That was followed closely by helping capture more IT funding for security. No. 3 was that PCI compliance did improve the overall security posture of the business.

PCI compliance can be used as a lever to wrest IT security funding from corporate budget makers, the survey indicates. Saying that money will help with PCI compliance is a better argument than saying it will make data safer, Ponemon says. "If you're striving just to improve security, it's hard to get the upper echelons to see the value," he says. "They are more likely to pay for PCI because it helps in working with business partners than because it's the right thing to do."

On average the 560 security pros surveyed spend 35% of their IT security budgets on meeting PCI standards. Much of this money would be spent on the same measures anyway, even if PCI compliance wasn't an issue, Ponemon says. Protections dictated by PCI would be made simply because they are sound security practices. (Read a story rating apology letters from companies after a data breach.)

When asked to assess the value they receive from PCI expenditures, 43% say they get what they pay for and 23% say they get more value than they pay for. The rest, 34%, say they get less.

In implementing the standards, respondents pick and choose what they protect. The majority of respondents to the survey (55%) say they direct their PCI efforts toward protecting cardholder data only, with just 12% addressing security of all personal data. Just 22% say all their applications and databases are protected in accordance with PCI standards; 25% say protection of their applications isn't compliant at all.

The most popular tool for protecting credit card data is the firewall, followed by antivirus/antimalware products and encryption of data at rest and in motion. They find those four technologies to be the most cost effective as well.
PCI compliance most commonly falls to the CISO or the CIO on the technology side, but corporate legal departments are equal partners overall, the study finds, indicating the complex implications of compliance.