In a rolling survey to assess the awareness, acceptance and understanding of PCI DSS 3.0, just 30 percent of respondents say they have reviewed all requirements and have a plan in place, while 41 percent claim to have heard of PCI DSS 3.0 but have no specific plan for compliance.
When asked to name the exact date by which they need to be PCI DSS 3.0 compliant, 70 percent of respondents remain unaware of the standard’s deadline.
When questioned over compliance with existing PCI DSS 2.0 standards, 77 percent of managers believe their businesses are currently PCI-compliant, 17 percent are unsure, while six percent admit that they may not be compliant. With regards to drivers behind PCI compliance, the strongest incentive is that it makes ‘good business sense’ (77 percent), followed by a ‘sense of responsibility’ (71 percent), fear of reputational damage (65 percent) and fines (53 percent).
When asked whether details specific to PCI DSS 3.0 are ‘essential’ to protect cardholder data, 47 percent agree while over a fifth (23 percent) do not regard 3.0 as ‘essential’ in protecting cardholder data. The majority (65 percent) of respondents see PCI compliance as part of overall security strategy and not a standalone or self-contained exercise.
Just 11 percent consider PCI compliance as separate to overall security strategy. 42 percent of respondents have completed a full PCI scope assessment in the last year, 21 percent completed a scope assessment in the last six months and 36 percent of respondents do not know the date of their last assessment. For the 77 percent who believe they are PCI-DSS compliant, they should be conducting annual assessments as required.
All businesses surveyed admit some concerns over PCI compliance, with the most prevalent being an understanding of PCI DSS 3.0 requirements (53 percent). Other worries expressed by the business managers surveyed include: educating employees (41 percent); budget allocation (42 percent); meeting PCI deadlines (40 percent); and resource allocation (35 percent).
“PCI DSS version 3.0 is a major stride forward,” said Christopher Camejo, director of Assessment Services for NTT Com Security. “Since 2004 PCI DSS has been a visible keystone for merchants and other businesses that need to protect sensitive payment card data, but the changes in 3.0 really up the ante from an operational perspective and bring a lot more detail to areas such as scope definition, penetration testing within requirement 11.3, and malware detection practices. From this survey and the conversations that we have in the market, a heightened awareness and broadened scope relating to the cardholder data environment is certainly required. Businesses understandably have concerns over compliance costs and resources, but they must also consider their responsibilities to customers, their reputation and the possibility of fines. The processing, storage and handling of personal and payment card data must be taken seriously by every business.”