Sign up for a customized personal demo with an AirTight expert.
AirTight Networks Co-sponsors Important Research Study on PCI Compliance from the PCI Knowledge Base; Research Arm of the PCI Security Vendors Alliance
Percentage of Merchants Who Met PCI Data Security Standards More Than Doubles in Just Eight Months
San Francisco, CA - April 8, 2008 - AirTight® Networks, the global leader for wireless vulnerability management, announced today at the opening of RSA 2008 in San Francisco that it has co-sponsored a new report from The PCI Knowledge Base, a research program designed to help merchants, assessors, banks, processors and vendors anonymously share PCI knowledge and experience.
According to Visa, the percentage of large merchants that met PCI Data Security Standard (PCI DSS) compliance more than doubled over the last eight months. This spike in compliant companies prompted the Payment Card Industry Security Vendor Alliance (PCI SVA), a member organization that offers institutions and card processors products and services to achieve PCI DSS compliance, to create the PCI Knowledge Base.
“PCI compliance is a complex and often daunting task,” said David Taylor, Research Director of the PCI Alliance. “We wanted to find out how so many companies became compliant so quickly and share that information with other merchants affected by PCI DSS.”
“The good news out of this is that the leading merchants who are members of the PCI Knowledge Base have obviously taken seriously the large breaches of networks via wireless connections,” said David King, chairman and CEO of AirTight. “The results of the PCI Knowledge Base’s research indicate there is definitely an acceleration of PCI compliance amongst merchants and banks. The troubling news, however, is that the clear majority of the participants in the research program indicate merchants are focused on achieving ’Paper Compliance‘ — or just getting by to avoid fines.”
“What differentiates the leading merchants in the Knowledge Base,” continued King, “is that they are focused on ‘operationalizing’ their compliance – by integrating PCI with other compliance programs, and building compliance into their corporate DNA. There is a wide chasm between compliance and security as demonstrated by a recent breach of a large merchant who was, according to news reports, compliant. The work done by the Knowledge Base will be a valuable resource in continuing to educate the marketplace on the risks involved in just getting by with ‘good enough’ compliance measures.”
Some key findings in the PCI Knowledge Base Report include:
- More than 65 percent of merchants and more than 80 percent of assessors reported that PCI compliance choices are driven by the PCI checklist, and not by a risk management analysis, since a perfect score is required to be PCI compliant.
- PCI has caused a major shift in the security priorities of more than 60 percent of companies to implement data at rest encryption and network segmentation, but away from security management tools, such as security information management.
- More than 40 percent of security managers report that PCI is an excellent standard because it mandates specific IT controls and helps them justify needed security purchases.
- More than 70 percent of security managers have had substantial additional burdens placed on them by PCI, primarily the requirement to regularly review log files and access controls. In most cases this must be done manually because there is no requirement or budget to automate the review process.
- More than 75 percent of merchants are focused on achieving “Paper Compliance” – or just getting a “Green ROC” in order to avoid fines, but there is a group of leading merchants focused on ongoing or “Operational Compliance.”
- The leading 10 percent of merchants are managing PCI compliance as part of an enterprise compliance plan, but nearly 30 percent of merchants are planning to apply the PCI standards to protect other confidential data, such as SSNs.
- Another differentiator of leading merchants is that they undertake due diligence investigations of the security of their service providers, rather than assume that a legal agreement that mentions PCI is sufficient to limit their liability.
About The PCI Knowledge Base
The PCI Knowledge Base contains more than 1,200 best practices, lessons-learned, vendor experiences, PCI assessor experiences, and industry trends, based on more than 75 hours of interviews with merchants, banks, card processors and security vendors. It delivers advice from a panel of experts, consisting of more than 30 PCI assessors, chief technology officers, chief information and security officers, and security consultants.
The Knowledge Base’s panel of experts includes luminaries from many of the leading companies in the PCI sector—including Citigroup, U.S. Bank, AT&T, Convergys, Accenture, Ernst & Young, Tripwire, IBM, ArcSight, Citrix, Ipswitch, AirTight Networks, Configuresoft, Centrify and SafeNet, Inc.—as part of their efforts to help companies secure their confidential data and manage their compliance with security standards and laws.