IDG News Service - Consumers face a greater risk of losing control of their data when doing business with smaller retailers, as many haven't made investments to comply with the Payment Card Industry's Data Security Standard (PCI DSS), according to a new survey.

The survey, which covered 560 U.S. and multinational organizations, asked respondents a variety of questions about their investments and deployment of technology to comply with PCI DSS, which was introduced in 2005. It's an industry standard created by major credit card companies that's designed to protect customer payment data.

The survey found that 55% of organizations only secured credit card information but not other data such as Social Security and driver's license numbers or bank account details. Also, only 28 percent of smaller companies between 501 to 1,000 employees comply with PCI DSS. That compares with more than 70% of large merchants with 75,000 or more employees that claimed they're compliant.

"If you go the larger organizations to do business, you are more likely to be secure today," said Amichai Shulman, CTO for Imperva, which makes security software for businesses to comply with PCI DSS. Imperva commissioned the survey from Ponemon Institute, a company that conducts research into privacy and information security policy.

The prime reason that companies don't comply with PCI DSS is cost, Shulman said. "They don't go to the effort to be compliant because it's all or nothing, so they currently do nothing," Shulman said.

Larger companies find it somewhat easier to handle the costs, he said. On average, companies spend about 35 percent of their IT security budgets on PCI DSS compliance.

Payment card companies mandate compliance, and most merchants are supposed to be compliant by now, according to information on the PCI Security Standards Council's Web site.

The survey turned up some other disconcerting results. Around 10% of the respondents who said they were PCI DSS compliant said they weren't using basic security software such as antivirus, firewalls and SSL (Secure Sockets Layers), Shulman said.

PCI doesn't prescribe the use of specific software products but instead promotes practices and general advice, such as using a firewall and antivirus. In recent years, vendors have developed products to make the implementation of PCI DSS easier. Still, the result was surprising and indicative of perhaps continuing confusion or difficulty some businesses are having with PCI DSS.

"I would find it very hard to explain why I'm not using SSL as part of my PCI compliance," Shulman said. "It seems to me that there is too much room for misinterpretation of the requirement, and companies are abusing it."

PCI DSS is in the process of being updated, and the survey will be used as input. The PCI Security Standards Council, which was set up by major credit card companies in 2006, is collecting feedback through Oct. 31 on changes to a new version of the standard, due for release in September 2010.

Comment Recommend Digg Twitter ShareThis

Email Print Send Feedback Reprints

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.

Jump to comments

Imperva

Additional Resources

Microsoft

DirectAccess and UAG: Better Together

Here are some of the key reasons why you would want to run Unified Access Gateway with DirectAccess.

Microsoft

Case Study: Energy Firm Tightens Protection, Simplifies IT Work

Review how one energy firm tightened protection and simplified IT work using business-ready security solutions.

Sybase

NEXT-GENERATION MOBILITY PLATFORMS

In this white paper, IDC analyzes the role of next-generation mobile enterprise platforms as organizations seek a more strategic deployment of mobile solutions.

Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.

What People Are Saying

11 comments | Add new

See all comments (11) | Add new

White Papers & Webcasts

Is Collaboration the buzz word of 2010 or buzzkill?
Read this whitepaper today!

Data in Action: Making the Planet Smarter
Register Now

A Survival Guide For Portable Data Storage in a Unsecure World
Read this whitepaper today!

Hosted Security Services: Why it make budget and security sense in today's economy
Watch Now

7 Ways to Optimize VMware Server Virtualization
Download This Whitepaper Now!

The Workday User Experience Video
Watch Workday's Creative Director, Scott Lietzke, discuss the business-centered design philosophy at Workday.

IT Consolidation and Disaster Recovery- Simply, Cost-effectively, and Simultaneously
Download this complimentary white paper! Provided by 3PAR.

Business Process Framework Demo
Learn about Configurable Business Processes and Calculated Fields. Watch Now!

Oracle Accelerate - Not Just Smart but Timely
Download Now!

Manager Experience Demo
Go beyond self-service solutions to perform more effectively. Watch Now.

All White Papers | All Webcasts

Computerworld Reports

Computerworld Technology Briefing: More than Business Value

Computerworld Briefing: Staffing for Intelligence

8 Questions To Ask About Your Intrusion-Security Solution

All Computerworld Reports

Business Continuity Zone
An organization's business continuity plan helps keep critical functions running during an emergency–the power fails, a virus is unleashed on your network, a natural disaster has occurred. Even the slightest downtime or loss of data can cripple your operation. CDW can help you prevent disaster by implementing a well-planned recovery strategy.
Click here to visit the Zone

See All Zones