Survey on PCI: How it's impacting network security

A survey of 500 information technology professionals with responsibility to assure compliance with the Payment Card Industry (PCI) security standard shows just over half find it "burdensome but necessary" in their organizations and about a third see it impacting their virtualized network environments in particular in the future.

ANALYSIS: Encryption adoption driven by PCI, fear of cyber attacks

The survey was sponsored by Cisco to gauge attitudes toward PCI, its cost to organizations that need to achieve PCI compliance and where future security changes are now under consideration. The survey indicated about 85 per cent were confident their organizations were prepared to pass a PCI audit but at the same time about a third indicated they anticipated making changes to their virtualized networks, such as using firewall and intrusion-protection systems as virtual security appliances, to meet future PCI compliance needs.

Although the PCI mandate applies specifically to how payment-card data is secured and stored, the security standard, which is set by the PCI Security Standards Council, appears to be having the effect of influencing security in general across the organization.

"A whopping 60 per cent were using point-to-point encryption to simplify their compliance efforts and possibly reduce the scope of their next PCI assessment," Cisco's survey results state. Fred Kost, director of security solutions at Cisco, said the PCI mandate is impacting plans for how virtualized networks will be secured as well. When asked, "How do you anticipate needing to change your virtualized environment to meet PCI compliance?" about a third replied they would need to add virtual security appliances, such as firewall and IPS, in order to meet PCI 2.0 compliance, while a third also wanted to "further harden our virtualization software."

Six out of 10 surveyed said their five-year spending on PCI compliance ran from $100,000 to more than $1 million. As to whether the effort to achieve PCI compliance actually made their organizations more secure, about 70 per cent answered in the affirmative. However, 15 per cent answered, "No, we already followed security best practices before PCI compliance requirements existed," 10 per cent said, "No, PCI compliance does not make an organization more secure," and six per cent were "unsure."

Rich Siedzik, director of computer and telecommunications services at Bryant University, would agree that PCI "is a very time-consuming thing. They're looking for proof you comply with the control points for over 168 control points you have to pass."

He notes it requires working on security improvements and reports to meet with the auditors and others with a role in PCI compliance review. "Our take on PCI is we look at security first, PCI second. If you focus on security, a lot of the PCI pieces fall into place," he says, adding the university prefers to automate control processes when possible.

At the end of the day, "PCI is worthwhile," says Siedzik, noting that various projects, such as deploying the Bradford Networks network-access control products for the entire university staff and students to track network and ensure anti-virus use, was prompted a few years back in part to meet the PCI requirements.

When asked their sentiment about PCI compliance, 36 per cent of respondents in the Cisco survey said, "It's necessary and I don't mind dealing with it," 51 per cent said, "It's burdensome but necessary," eight per cent said, "It's burdensome and not necessary," and five per cent answered, "It doesn't go far enough in protecting cardholder data."

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Configuration / maintenancevirtualizationFirewall & UTMsecurityhardware systemsData CenterPCI

More about CiscoetworkFredIPSLAN

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place