Cisco released a white paper on January 12, 2011, which reported that results from its survey of 500 IT decision makers show that PCI DSS compliance is no longer viewed as overly expensive and burdensome. Instead, the survey revealed “one overwhelming message: Organizations of all types view PCI compliance as a necessary and worthwhile investment.”
According to the white paper, the top ten takeaways from the survey are:
(1) Most organizations have taken significant steps to achieve PCI compliance and believe their current infrastructures would pass assessments.
(2) Organizations believe they are more secure than they would be if PCI compliance were not required.
(3) Companies view PCI compliance as necessary for protecting cardholder data.
(4) PCI compliance projects can drive or fund other network and information security projects.
(5) Most organizations plan to increase PCI compliance spending in 2011.
(6) Many companies plan to make additional investments to comply with evolving PCI requirements for virtualized environments.
(7) Nearly two thirds of organizations are using point-to-point encryption, which will reduce the scope of PCI assessments and simplify compliance.
(8) Most large and midsize organizations now use continuous wireless intrusion prevention and intrusion detection to guard against rogue wireless access points.
(9) Other regulations, laws, and standards can enhance a company’s ability to comply with PCI standards.
(10) Educating employees on the proper handling of cardholder data remains the biggest challenge organizations face.
Specific question results of note include:
- 87% feel that PCI compliance is necessary;
- 85% believe they would pass a PCI assessment;
- Only 5% believe that PCI does not go far enough to protect cardholder data; and
- There was no single requirement of the 12 PCI DSS requirements that a majority of respondents identified as being significantly more problematic than others (37% cited tracking and monitoring all access to network resources and cardholder data as a top concern).
Results sorted by industry also provided interesting findings:
- 92% of financial and retail industry respondents believe they would pass a PCI assessment today;
- 85% of government respondents passed on their initial assessment compared to 72% for healthcare;
- 92% of financial industry respondents were aware of PCI DSS 2.0 compared to 77% among government organizations; and
- Almost 70% of financial services organizations use P2PE.