Ponemon Institute and Imperva Survey Shows Companies Still Struggle to Protect Consumer Credit Card Data

September 23, 2009

REDWOOD SHORES, California and TRAVERSE CITY, Michigan, September 23
/PRNewswire/ –

    - 71% of Companies do not Treat PCI as a Strategic Initiative - Yet 79%
      Have Experienced a Data Breach

    - 55% do not Secure Social Security Numbers, Driver's License Numbers,
      and Bank Account Details; Consumers are More at Risk With Smaller

    - Data Security Leader Imperva Provides Recommendations to Consumers,
      Businesses and PCI DSS Council in Advance of the Oct 31st Deadline

Imperva and the Ponemon Institute today announced the findings of a
survey (http://www.imperva.com/ld/ponemon.asp) across more than 500 U.S. and
multinational IT security practitioners showing that, despite the Payment
Card Industry’s (PCI) Data Security Standard (DSS), companies still struggle
with data security, putting consumers at continued risk for identity theft.
In fact, 71% of companies surveyed admit to not making data security a top
strategic initiative, and 55% admit to only securing credit card information
and not sensitive information such as Social Security numbers, driver’s
license numbers, and bank account details. However, the survey also found
that companies taking a strategic approach to PCI compliance have fewer data
breaches. Based on these findings, Imperva is making specific recommendations
to consumers, businesses and the PCI DSS Council to improve the safety of
consumers’ personal information.

The PCI DSS standard was put into effect to provide security guidelines
to all businesses that handle credit card information to better protect
consumers. Since it was enacted in June 2005, the number of data breaches and
amount of credit card fraud has continued to rise.

According to the survey of more than 500 U.S. and multinational IT
security practitioners at companies with an average of $5.6 billion in annual

    - 71% of respondents do not treat PCI as a strategic initiative, yet 79
      percent have experienced a data breach involving the loss or theft of
      credit card information.

    - 55% of respondents focus only on credit card data protection and do not
      attempt to secure sensitive information such as Social Security
      numbers, driver's license numbers, bank account details and other data
      about people and families.

    - 60% of respondents don't think they have sufficient resources to comply
      with PCI and bring about a necessary level of cardholder security.

“Nobody is in business to be compliant. But there is a silver lining to
this survey: if you protect consumers as required by the PCI DSS standard,
there is an incredible opportunity to improve your overall security posture,”
said Shlomo Kramer, Imperva’s CEO.

“Security departments are using PCI compliance as leverage to gain more
budget, but these resources are not always translating into greater security
for sensitive customer data,” said Larry Ponemon, chairman and founder,
Ponemon Institute. “The results of our study indicate that while some
companies have figured out how to convert PCI standards into an overall
security mandate-many more have not.”

Smaller businesses struggle the most

The survey found that only 28% of smaller companies (501-1000 employees)
comply with PCI as opposed to 70% of larger companies (75,000 or more

“Companies devote 35% of their IT security budgets to PCI compliance on
average, making cost a significant obstacle, especially for smaller
companies,” explained Amichai Shulman, Imperva’s CTO. “This is why Imperva is
recommending that the PCI DSS Council modify the requirements for larger and
smaller companies to take into account different environments and security

“The PCI Security Standards and the card brands must update the PCI-DSS
so that it’s risk-based, depending on the system configuration of the
complying company. The ‘one size fits all’ approach of the current standard
imposes unreasonable requirements on many companies that have simple
networks, or have implemented security technologies that aren’t included in
the PCI standards, but provide equal or greater levels of protection,” said

Avivah Litan, Vice President and Distinguished Analyst with Gartner Research
in a May 2009 report, “Moving Beyond PCI at Visa’s Global Security Summit.”

Companies that take a strategic approach to PCI compliance have fewer
data breaches

The PCI DSS standard has the potential to make a powerful impact to
corporate IT security initiatives. The survey shows that 27% of companies
believe that PCI-DSS compliance is positively contributing to their
organizations’ security posture and are taking a strategic approach to
compliance. In fact, companies that were fully PCI compliant had fewer
breaches than those that were not compliant. However, the majority (73%) of
respondents have achieved PCI compliance using a basic, checklist approach.

Imperva’s recommendations to consumers, businesses and the PCI DSS Council

To coincide with the October 31st deadline for input on changing PCI-DSS
standards, Imperva is providing recommendations to consumers, businesses and
the PCI DSS Council.

    For PCI-DSS Council:

    - Have a compliance logo for consumers. Today, companies can't articulate
      their security efforts to consumers, and consumers are not aware of the
      compliance status of the retailers they do business with. As a
      consequence, companies cannot leverage their investment in PCI
      compliance to gain competitive advantage.

    - Modify compliance needs for larger and smaller companies. Smaller
      companies need to have a modified standard that takes into account
      different environments and security needs.

Consumer recommendations

Look for PCI compliant companies-In general, companies that were
compliant suffered fewer breaches. Although compliance doesn’t guarantee
perfect security, it helps the odds.

    Business recommendations

    - Use PCI to bring about a broader, more effective security program.

    - Use PCI as a way to get senior management aware of and involved in IT
      security. PCI creates a business case that is tightly coupled to
      information security.

    - Assign a clear champion who owns and drives PCI as well as security
      that is strongly empowered to direct numerous teams for support.
      Without a clear champion, security-and compliance-will suffer.

For more information

Listen to Imperva’s Chief Security Strategist Brian Contos interview Dr.

Larry Ponemon in a podcast (
http://www.imperva.com/docs/podcasts/35_PD_Ponemon.mp3) or download the
transcript (http://www.imperva.com/docs/podcasts/35_PD_Ponemon.pdf).

About Imperva

Imperva, the Data Security leader, enables a complete security lifecycle
for business databases and the applications that use them. Over 4,500 of the
world’s leading enterprises, government organizations, and managed service
providers rely on Imperva to prevent sensitive data theft, protect against
data breaches, secure applications, and ensure data confidentiality. The
award-winning Imperva SecureSphere is the only solution that delivers full
activity monitoring from the database to the accountable application user and
is recognized for its overall ease of management and deployment. For more
information, visit http://www.imperva.com.

About The Ponemon Institute

The Ponemon Institute(c) is dedicated to advancing responsible
information and privacy management practices in business and government. To
achieve this objective, the Institute conducts independent research, educates
leaders from the private and public sectors and verifies the privacy and data
protection practices of organizations in a variety of industries. Visit the
Ponemon Institute at http://www.ponemon.org.

SOURCE Imperva

Source: newswire

comments powered by Disqus