Today, we released our second survey on PCI. In this survey we set out to gauge just how effective PCI has been in reducing data breaches. The answer was somewhat surprising: PCI is very effective in reducing breaches but it seems many companies don't believe it. Why the disconnect? There are many possible answers including:
- PCI is a chore and, by definition, is no fun.
- Companies don't have a breach benchmark. Without it, you can't see how effective your own efforts versus your peers.
Here's a summary of what we consider the most interesting highlights.
Highlight #1: There is a dramatic difference with respect to number of breaches between compliant and non compliant organizations.
This is true for both card holder data related incidents and general incidents. 99% (!) of compliant organization suffered no more than a single CC related breach compared to 85% of non-compliant organizations, with 64% of compliant organization suffering no breach at all (compared to 38% of non-compliant). Only 1% of compliant organization suffered more than one breach related to CC data compared to 15% of non-compliant organizations. 63% of compliant organization suffered no more than a single breach overall compared 22% of non compliant, with 26% percent of non-compliant organizations suffering more than 5 breaches compared to only 3% of compliant organizations. We published a blog where we cited that in 2009, for example, 130M+ credit cards were taken from Heartland Payment Systems alone. But in 2010 the total amount of data stolen was just over 11M records. Why the drop? PCI was a factor we think, among many other things.
Yet, there is a perception that PCI compliance is not contributing to reducing the number of breaches. 88% of respondents did not support the claim that PCI compliance has a positive effect on the number of breaches and only 39% mentioned data security improvement as one of PCI-DSS value proposal to organizations.
In fact only 33% percent believe that PCI-DSS compliance expenditure is covered by the value it brings to organization. Looking at the figures regarding the actual decrease in data breaches and recent figures regarding the cost of data breaches, it seems that many practitioners have a much subverted perception of the value of PCI-DSS compliance
We can probably see some decline in the population that is favorable towards PCI but this is not very significant (25% vs. 27%). More troubling is the increase in those that are “cynical” (27% vs. 19%). It seems that “checkbox” group has decreased dramatically. Why? People are either doing it for real or not doing it at all.
Highlight #2: Almost two thirds of respondents achieved substantial compliance with PCI vs. 50% in 2009.
Only 16% of organizations have not achieved any level of PCI compliance vs. 25% in 2009. This is due to a maturity and the PCI deadlines that occurred between 2009 and today.
Highlight #3: While the trends regarding the most commonly used technologies remain the same (firewalls, anti-virus, and traffic and disk encryption) we see some shift in trends regarding technologies related to the most difficult requirements of the PCI-DSS. Code review, for instance, saw the biggest decline.
About 49% of respondents considered access restriction on a need-to-know basis to be most difficult requirement to comply with followed by developing and maintaining secure applications (section 6) with 45%. Though the former is mostly an organizational difficulty (establishing the exact list of required privileges per individual is very difficult) we see a slight shift from using “Access governance systems” to “Identity and access management systems”. A much more noticeable shift is observed with respect to technologies that enable compliance with section 6 of the standard where WAF has gone up 6 points (~13%) and code review going down 8 points (~13%). This is no surprise as WAF has traditionally been considered to be more cost effective and code review much more expensive and tedious.
Highlight #4: Achieving effective compliance greatly depends on finding cost-effective solutions rather than spending more money.
We’ve analyzed the information about available PCI budget against the breach information. In a somewhat counter-intuitive manner those organizations who suffered no breaches are not necessarily those who spent the biggest budget. This comes to prove our claim from the previous survey that achieving effective compliance greatly depends on finding cost-effective solutions rather than spending more money.
Highlight #5: Business Unit Leader are taking over PCI management.
What does this mean? We see confirmation that security is evolving into a business process.