Merchants Warming Up To PCI

New surveys show more positive PCI perceptions, but PCI 'check-box' era far from over, security experts say
Two new reports issued today -- one by Cisco Systems and the other by the National Retail Foundation (NRF) -- show PCI increasingly being perceived as a useful and effective security tool in the eyes of the businesses that must comply with it.

While half of the organizations surveyed by Cisco say PCI is a necessary burden, around 70 percent say it has made their organizations more secure, with 38 percent saying they are "much more" secure since complying with it, and 32 percent saying they are "slightly more" secure. Some 85 percent are confident they could pass a PCI audit right now.

The Cisco report also found more than half of the organizations use PCI compliance projects to drive or fund other network and security initiatives, and PCI spending will increase at most organizations this year.

Why such PCI optimism? It could be because most of the organizations in the Cisco survey have been working with PCI compliance for more than four years, and around half since its inception five years ago. "Companies that have been doing PCI for four years are more likely to pass their assessments and more likely to think that they have security benefits from [PCI]," says Rich Mogull, CEO of Securosis. "That's because they probably had minimal security before PCI, so of course they would come out optimistic."

Cisco's survey respondents are mostly primary decision-makers in their organizations (56 percent), nearly half of which are employed by businesses with 1,000 or more workers. Around 55 percent are Level 2 or Level 3 merchants, and 17 percent are Level 1.

PCI traditionally has been considered mostly a check-box item for organizations than a real security tool. A fall 2009 Ponemon Institute study of PCI DSS compliance, commissioned by Imperva, found that only about 30 percent of the merchants took PCI security seriously. While nearly 80 percent of retailers and organizations that handle credit card transactions said they had been hit with a data breach, more than 70 percent still didn't consider security strategic to their operations.

Fred Kost, director of security solutions at Cisco, says the survey (PDF) shows businesses have made "significant" inroads in PCI compliance. "Most feel they could pass an assessment today. The sentiment is very positive around PCI," he says.

The biggest shift is in how they view it -- not just as something they have to do and spend money on, but that PCI is actually making their networks and infrastructure more secure. "It's making a difference. We also found that PCI compliance and funding are now driving other [security] projects," Kost says.

But don't mistake all of this feel-good sentiment about PCI as a sign businesses are embracing without any trouble. The check-box phase is not over, Securosis' Mogull says. "Most organizations are still struggling with it," he says. "The more companies are aware of PCI and passing their assessments, of course they are going to feel more secure."

Cisco's Kost, meanwhile, sees it differently. "Seventy percent said they feel more secure" with PCI, he says. "That says this is not a mandate for a checkbox item ... It speaks to the good work of PCI."

But the story is different when it comes to many small businesses, which, according to the NRF study, are still on a big learning curve when it comes to PCI. While 86 percent of the respondents (most of which transact less than $500,000 in payment card sales annually) in that survey say they care about keeping customer card data locked down and consider this important to their business, 64 percent say they are not vulnerable to credit or debit-card theft.

Two-thirds say they are aware of PCI DSS, but less than half have performed a PCI self-assessment, and 42 percent who are in the know about PCI say they didn't realize merchants have to do these surveys annually. Many don't understand liability in a data breach: More than 60 percent didn't know credit card companies can fine them for every card they have to cancel if the merchant ends up the source of the breach.

Educating employees on proper handling of cardholder data is still problematic in many organizations, the Cisco report found. Some 43 percent ranked that as one of their main challenges with PCI, followed by upgrading systems to meet compliance (32 percent), changing business practices to meet compliance (29 percent), lack of staffing to support PCI efforts (28 percent), and lack of budget for PCI (25 percent).

"One of the biggest challenges is educating employees around PCI in the proper handling of cardholder information. You can encrypt, segment, and [protect] networks, but the employee is often the weakest link if they see that information," Kost says.

PCI compliance is a good baseline, but compliance still doesn't equal security. "Being compliant doesn't mean you're secure," he says.

Says Securosis' Mogull: "It's there to protect credit [and debit] card numbers -- nothing else. It's not going to stop all kinds of attacks, but it's a good baseline."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.