PCI Compliant Companies Suffer Fewer Data Breaches: Study

Yet most practitioners don't believe PCI DSS actually improves information security.

April 21, 2011

REDWOOD SHORES, CA and TRAVERSE CITY, MI - A new report by data security firm Imperva and the Ponemon Institute reveals that while the majority of PCI-compliant firms suffer few or no breaches, most companies still do not perceive PCI-DSS to have a positive effect on data security.

According to their report, "The 2011 PCI DSS Compliance Trends Study," 64 percent of PCI compliant organizations suffered no data breaches over the past two years, while 38 percent of non-compliant firms were data breach-free during the same period.

For overall data breaches (general incident or those involve credit card data), 63 percent of compliant organizations suffered no more than a single breach, versus 22 percent of non-compliant companies that were breached at most one time. Notably, 26 percent of non-compliant firms suffered more than five breaches during the two-year period.

"At the end of the day, we believe that PCI-DSS is one of the most effective data security regulations today and can significantly help companies improve their data security posture," said Amichai Shulman, CTO of Imperva. "Most companies who make an effort to comply with the standards are likely to suffer fewer breaches than those who don't, period."

When it comes to perception, though, the study found that 88 percent of firms did not believe that PCI-DSS compliance has a positive effect on securing data.

"Looking at the figures regarding the actual decrease in data breaches and recent figures regarding the cost of data breaches, it seems that many practitioners have a much subverted perception of the value of PCI-DSS compliance," said Larry Ponemon, chairman and co-founder of the Ponemon Institute.

Despite what appears to be pervasive industry skepticism, PCI compliance is on the rise, with two-thirds of respondents having achieved substantial compliance with PCI-DSS, up from one-half in 2009.

"Over the past few years, most companies have matured in their understanding of the PCI mandate and have worked to meet strict compliance deadlines," Shulman said. "We believe this is one of the primary reasons we've seen an overall increase in compliance and also, we believe, a decline in the number of credit card-related data breaches."

Get up to speed with everything and anything PCI compliance-related by attending NACStech, May 16 to 18 in Las Vegas. Register today!

Advertisement
Advertisement
Advertisement