Credit Card Compliance Still Poorly Practiced

A new survey from Imperva and the Ponemon Institute finds that despite the rising number of data breaches, many companies still do not fully adhere to compliance standards. And many of those that are protecting credit card information are neglecting security when it comes to other, equally sensitive data. Smaller businesses may be having the most trouble with the standards.The Payment Card Industry (PCI) Data Security Standard (DSS) spells out the security steps companies must take to protect confidential customer and financial information.

According to the Ponemon Institute/Imperva survey of 500 businesses, many of them haven't taken all the necessary steps.

This isnt new -- incomplete or partial PCI DSS compliance has long been a concern, both for the risk it creates,obviously, but also for what failures to meet the compliance standards says about business.

In the case of the Ponemon/Imperva survey, what it says is that:

79% of respondents have experienced a data breach involving credit card data, yet 71% still don't incorporate PCI DSS compliance into their overall strategic security initiatives.

55% protect credit card data -- but don't apply DSS-level compliance to protecting Social Security and other equally sensitive identity and financial data.

Scary stuff, but pretty clearly explained, at least by the survey's respondents:

60% of respondents blamed lack of PCI DSS compliance on lack of resources -- this stuff is scary, but this stuff is also costly, with fully compliant companies typically devoting 35% of their IT security budgets to compliance.

It's even worse on the small and midsized business front. According to the survey: Only 28% of smaller business are fully PCI DSS compliant.

That sound about right to you? Where does your company's PCI DSS compliance practices -- and, for that matter, budget or level of security resource dedication -- fall on the scale.

More to the point, have you -- or a credit card processing vendor -- experienced a data breach after which you or the vendor remains non-compliant?

Recognizing that the burden -- it's a responsibility, sure, but it's also a burden -- of PCI DSS compliance is heavy on all companies, but disproportionately so on smaller businesses, Ponenon and Imperva make a couple of provocative recommendations:

A PCI DSS compliant logo to be posted on Web sites would, they argue, help offset the cost of compliance by making compliance a competitive advantage. This, of course, begs the questions of a) How long it would take to educate the public about the logo and its meaning, and b) whether the public would actually respond to such a log and restrict its shopping and purchasing habits to logo-emblazoned businesses.

(Won't even talk here about the prospect of phony logos emerging from the cybercrook sphere.)

More practically, I believe, they recommend that the PCI-DSS governing body modify the standards for smaller businesses in recognition of the larger challenges those businesses face in hitting the compliance standard.

Whether or not either recommendation is acted upon -- and how long it takes -- will be interesting to watch.