Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/23/2009
10:46 AM
Keith Ferrell
Keith Ferrell
Commentary
50%
50%

Credit Card Compliance Still Poorly Practiced

A new survey from Imperva and the Ponemon Institute finds that despite the rising number of data breaches, many companies still do not fully adhere to compliance standards. And many of those that are protecting credit card information are neglecting security when it comes to other, equally sensitive data. Smaller businesses may be having the most trouble with the standards.

A new survey from Imperva and the Ponemon Institute finds that despite the rising number of data breaches, many companies still do not fully adhere to compliance standards. And many of those that are protecting credit card information are neglecting security when it comes to other, equally sensitive data. Smaller businesses may be having the most trouble with the standards.The Payment Card Industry (PCI) Data Security Standard (DSS) spells out the security steps companies must take to protect confidential customer and financial information.

According to the Ponemon Institute/Imperva survey of 500 businesses, many of them haven't taken all the necessary steps.

This isnt new -- incomplete or partial PCI DSS compliance has long been a concern, both for the risk it creates,obviously, but also for what failures to meet the compliance standards says about business.

In the case of the Ponemon/Imperva survey, what it says is that:

79% of respondents have experienced a data breach involving credit card data, yet 71% still don't incorporate PCI DSS compliance into their overall strategic security initiatives.

55% protect credit card data -- but don't apply DSS-level compliance to protecting Social Security and other equally sensitive identity and financial data.

Scary stuff, but pretty clearly explained, at least by the survey's respondents:

60% of respondents blamed lack of PCI DSS compliance on lack of resources -- this stuff is scary, but this stuff is also costly, with fully compliant companies typically devoting 35% of their IT security budgets to compliance.

It's even worse on the small and midsized business front. According to the survey: Only 28% of smaller business are fully PCI DSS compliant.

That sound about right to you? Where does your company's PCI DSS compliance practices -- and, for that matter, budget or level of security resource dedication -- fall on the scale.

More to the point, have you -- or a credit card processing vendor -- experienced a data breach after which you or the vendor remains non-compliant?

Recognizing that the burden -- it's a responsibility, sure, but it's also a burden -- of PCI DSS compliance is heavy on all companies, but disproportionately so on smaller businesses, Ponenon and Imperva make a couple of provocative recommendations:

A PCI DSS compliant logo to be posted on Web sites would, they argue, help offset the cost of compliance by making compliance a competitive advantage. This, of course, begs the questions of a) How long it would take to educate the public about the logo and its meaning, and b) whether the public would actually respond to such a log and restrict its shopping and purchasing habits to logo-emblazoned businesses.

(Won't even talk here about the prospect of phony logos emerging from the cybercrook sphere.)

More practically, I believe, they recommend that the PCI-DSS governing body modify the standards for smaller businesses in recognition of the larger challenges those businesses face in hitting the compliance standard.

Whether or not either recommendation is acted upon -- and how long it takes -- will be interesting to watch.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8813
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
CVE-2020-9039
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
CVE-2020-8860
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
CVE-2020-8861
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
CVE-2020-8862
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...