PCI To Drive IT Budgets In 2011

A new Payment Card Industry (PCI) survey finds that respondents anticipate significantly increased spending on PCI compliance this year, which should drive security-related budgets across numerous IT areas. The survey of 500 IT executives on what's happening as a result of the recent update to the 5-year-old PCI Data Security Standards (PCI DSS 2.0), conducted by InsightExpress on behalf of Cisco, also found that the majority of respondents believe their organizations are more secure than they would be if PCI compliance wasn't required.

The survey was intended to discover where the PCI industry is and what impact it will have on organizations and their IT expenditures, says Fred Kost, director, security solutions, at Cisco. Overall, the PCI Council has been successful in communicating and getting active participation and increased adoption of the PCI standards among stakeholders, he says, but more work is required.

A recent survey by Verizon finds that organizations struggle when they have to engage in continuous security activity, such as daily monitoring of logs, according to the business analysis of its PCI assessment clients. In addition, Verizon finds that organizations that had suffered data breaches of cardholder information performed dismally in terms of compliance with most PCI requirements.

Verizon also reported that about one-fifth of the organizations included in the analysis were found to be fully PCI-compliant in Verizon's Initial Report on Compliance (IROC), issued after the assessors' site visit.

Organizations performed woefully across all aspects of regularly testing security systems and processes, but failure to perform file integrity was the single greatest failure among the 150 or tests required across the PCI standard. The consistent theme across the non-compliance for tracking, monitoring and regular testing was the failure to apply security practices that require continuous activity.Kost says that while most respondents believe they've made major steps to be PCI-compliant, user education/awareness is a key issue organizations continue to wrestle with. Over the past five years, most organizations have spent between $100,000 and $1 million on PCI compliance, he says. Over two-thirds (71 percent) of respondents have been dealing with PCI for four or more years, and just under half (49 percent) have 1,000 or more employees globally.

In addition to educating employees about implementing PCI DSS (43 percent of respondents), 32 percent said updating antiquated systems was the next biggest challenge. The biggest PCI-requirement challenges were tracking and monitoring all access to network resources and cardholder data (37 percent), developing and maintaining secure systems and applications (32 percent), and protecting stored cardholder data (30 percent).

From a technology perspective, 60 percent of respondents were using some form of point-to-point encryption (P2PE), says Kost. Just over a third (36 percent), need to increase the number of virtual security appliances, such as firewalls and intrusion-prevention systems, in order to meet PCI 2.0 compliance, while 30 percent will need to continue to harden their virtualization software systems and make them more resilient to attack. A third technology area was wireless and detecting rogue access points, Kost says.