Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Ponemon Institute and Imperva survey shows companies still struggle to protect consumer credit card data

• 71 per cent of companies do not treat PCI as a strategic initiative — yet 79% have experienced a data breach. • 55 per cent do not secure Social Security numbers, driver’s license numbers, and bank account details; Consumers are more at risk with smaller businesses. • Data security leader Imperva provides recommendations to consumers, businesses and PCI DSS Council in advance of the Oct 31st deadline.
  • 24 September, 2009 09:45

<p>Sydney – September 24, 2009 – Imperva and the Ponemon Institute today announced the findings of a survey across more than 500 U.S. and multinational IT security practitioners showing that, despite the Payment Card Industry’s (PCI) Data Security Standard (DSS), companies still struggle with data security, putting consumers at continued risk for identity theft.</p>
<p>In fact, 71 per cent of companies surveyed admit to not making data security a top strategic initiative, and 55 per cent admit to securing only credit card information and not sensitive information such as Social Security numbers, driver’s licence numbers, and bank account details.</p>
<p>However, the survey also found that companies taking a strategic approach to PCI compliance have fewer data breaches. Based on these findings, Imperva is making specific recommendations to consumers, businesses and the PCI DSS Council to improve the safety of consumers’ personal information.</p>
<p>The PCI DSS standard was put into effect to provide security guidelines to all businesses that handle credit card information to better protect consumers. Since it was enacted in June 2005, the number of data breaches and amount of credit card fraud has continued to rise.</p>
<p>According to the survey of more than 500 U.S. and multinational IT security practitioners at companies with an average of $US5.6 billion in annual revenue:</p>
<p>* 71 per cent of respondents do not treat PCI as a strategic initiative, yet 79 per cent have experienced a data breach involving the loss or theft of credit card information.
* 55 per cent of respondents focus only on credit card data protection and do not attempt to secure sensitive information such as Social Security numbers, driver’s licence numbers, bank account details and other data about people and families.
* 60 per cent of respondents don’t think they have sufficient resources to comply with PCI and bring about a necessary level of cardholder security.</p>
<p>“Nobody is in business to be compliant. But there is a silver lining to this survey: if you protect consumers as required by the PCI DSS standard, there is an incredible opportunity to improve your overall security posture,” said Shlomo Kramer, Imperva’s CEO.</p>
<p>“Security departments are using PCI compliance as leverage to gain more budget, but these resources are not always translating into greater security for sensitive customer data,” said Larry Ponemon, chairman and founder, Ponemon Institute. “The results of our study indicate that while some companies have figured out how to convert PCI standards into an overall security mandate—many more have not.”</p>
<p>Smaller businesses struggle the most</p>
<p>The survey found that only 28 per cent of smaller companies (501-1000 employees) comply with PCI as opposed to 70 per cent of larger companies (75,000 or more employees).</p>
<p>“Companies devote 35 per cent of their IT security budgets to PCI compliance on average, making cost a significant obstacle, especially for smaller companies,” explained Amichai Shulman, Imperva’s CTO. “This is why Imperva is recommending that the PCI DSS Council modify the requirements for larger and smaller companies to take into account different environments and security needs.”</p>
<p>“The PCI Security Standards and the card brands must update the PCI-DSS so that it’s risk-based, depending on the system configuration of the complying company. The ‘one size fits all’ approach of the current standard imposes unreasonable requirements on many companies that have simple networks, or have implemented security technologies that aren’t included in the PCI standards, but provide equal or greater levels of protection,” said Avivah Litan, Vice President and Distinguished Analyst with Gartner Research in a May 2009 report, “Moving Beyond PCI at Visa’s Global Security Summit.”</p>
<p>The PCI DSS standard has the potential to make a powerful impact to corporate IT security initiatives. The survey shows that 27 per cent of companies believe that PCI-DSS compliance is positively contributing to their organisations’ security posture and are taking a strategic approach to compliance. In fact, companies that were fully PCI compliant had fewer breaches than those that were not compliant. However, the majority (73%) of respondents have achieved PCI compliance using a basic, checklist approach.</p>
<p>Imperva’s recommendations to consumers, businesses and the PCI DSS Council
To coincide with the October 31st deadline for input on changing PCI-DSS standards, Imperva is providing recommendations to consumers, businesses and the PCI DSS Council.</p>
<p>For PCI-DSS Council</p>
<p>o Have a compliance logo for consumers. Today, companies can’t articulate their security efforts to consumers, and consumers are not aware of the compliance status of the retailers they do business with. As a consequence, companies cannot leverage their investment in PCI compliance to gain competitive advantage.
o Modify compliance needs for larger and smaller companies. Smaller companies need to have a modified standard that takes into account different environments and security needs.</p>
<p>Consumer recommendations</p>
<p>Look for PCI compliant companies—In general, companies that were compliant suffered fewer breaches. Although compliance doesn’t guarantee perfect security, it helps the odds.</p>
<p>Business recommendations</p>
<p>o Use PCI to bring about a broader, more effective security program.
o Use PCI as a way to get senior management aware of and involved in IT security. PCI creates a business case that is tightly coupled to information security.
o Assign a clear champion who owns and drives PCI as well as security that is strongly empowered to direct numerous teams for support. Without a clear champion, security—and compliance—will suffer.</p>
<p>About The Ponemon Institute</p>
<p>The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries. Visit the Ponemon Institute at</p>
<p>About Imperva</p>
<p>Imperva, the Data Security leader, enables a complete security lifecycle for business databases and the applications that use them. Over 4,500 of the world’s leading enterprises, government organizations, and managed service providers rely on Imperva to prevent sensitive data theft, protect against data breaches, secure applications, and ensure data confidentiality. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring from the database to the accountable application user and is recognized for its overall ease of management and deployment. For more information, visit</p>
<p># # #</p>
<p>Imperva and SecureSphere are registered trademarks of Imperva, Inc. All other brand or product names are trademarks or registered trademarks of their respective holders.</p>
<p>Editorial Contact
Stree Naidu,
Imperva Vice President Asia Pacific
Tel: +61.2.8916 6260 or +64.9634 4413</p>

Most Popular

Editor's Recommendations

Solution Centres


View all events Submit your own security event

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Media Release

More media release