The study surveyed 155 Qualified Security Assessors (QSAs) worldwide who are authorized by the PCI Security Standards Council to conduct annual technical reviews of the largest merchants' networks. With $225,000 to $500,000 spent annually on a PCI audit, "that's a large chunk of change to be doing each and every year," says Dr. Larry Ponemon, the Institute's founder. That cost doesn't include the technology changes and the operating and staff costs associated with the audit, according to the survey. Ponemon notes that sometimes the annual PCI audit "leads to a better security posture, but not always."
Of those merchants surveyed, 41% rely on "compensating controls" under the PCI rules. Failing an audit means working on a remediation plan, and compensating controls may address what might be done outside of strict PCI DSS guidelines to meet technical difficulties.
In the survey, 54% of QSAs acknowledged that their clients feel PCI DSS is too costly, although 20% did say their clients are "satisfied" with compliance costs. More than half (52%) of the QSAs said that merchants are not proactively managing data privacy and security in their environments. The survey suggests that restricting access to cardholder data remains problematic.
Encryption is the most effective technology their clients use, according to 60% of the QSAs surveyed, although the industry currently has no specific requirement for end-to-end encryption of cardholder data.
Posts
No comments:
Post a Comment