PCI Compliance May Mean Fewer Breaches, Study Says

But most professionals still don't think PCI has much of an impact on security, Ponemon/Imperva study says

2 Min Read

PCI-compliant companies have fewer breaches, but most security pros still don't believe compliance has much positive impact on data security, according to a study released last week.

According to the "2011 PCI DSS Compliance Trends Study," conducted by the Ponemon Institute and sponsored by security vendor Imperva, 64 percent of organizations that comply with the Payment Card Industry Data Security Standards (PCI-DSS) reported suffering no data breaches involving credit card data during the past two years, while only 38 percent of noncompliant organizations reported suffering no breaches involving credit card data during the same period.

PCI-compliant companies also had fewer data breaches overall, even when credit card data wasn't involved. Sixty-three percent of compliant organizations suffered no more than one data breach, compared to 22 percent of noncompliant organizations. Notably, 26 percent of noncompliant organizations suffered more than five breaches during the same time period.

"At the end of the day, we believe that PCI-DSS is one of the most effective data security regulations today and can significantly help companies improve their data security posture," says Amichai Shulman, co-founder and CTO of Imperva, in a statement following the study's release. "Most companies who make an effort to comply with the standards are likely to suffer fewer breaches than those who don’t, period."

However, the study also found that 88 percent of respondents did not support the claim that PCI-DSS compliance has a positive effect on the number of breaches experienced, and only 39 percent mentioned data security improvement as one of the regulation’s value propositions for business. In fact, only 33 percent believe that PCI-DSS compliance expenditure is covered by the value it brings to an organization.

The study found that two-thirds of respondents have achieved substantial compliance with PCI-DSS. In the "2009 PCI DSS Compliance Trends Study," the number of respondents who’d achieved similar levels of compliance was only half, and roughly 25 percent of respondents in 2009 had not achieved any level of compliance. Only 16 percent of organizations surveyed in 2011 have not achieved any level of PCI-DSS, the report states.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights