Most Companies Expect to Be Compliant with PCI Standards Within 18 Months

Imprivata has announced the results of a national survey examining Identity Management Trends in PCI Compliance 2008, covering the state of Payment Card Industry (PCI) Data Security Standard (DSS) and compliance spanning companies over a cross-section of industries. With the PCI Data Security Standard 1.2 released on Oct. 1, 2008, this online survey of IT decision makers covered companies of all sizes and highlighted the role of authentication and access technologies in achieving compliance.

Omar Hussain, President and CEO, Imprivata, Inc.: "Ensuring PCI DSS compliance is at the top of the list for organizations taking payment card information more so now than ever before with the latest deadline having recently passed and the final set of requirements and documentation to be issued by the end of 2008. Though a large majority of companies are still not yet compliant, they are actively engaged in efforts to achieve compliance. Authentication and access technologies are clearly among the highest priority, as they can satisfy a number of requirements simultaneously."

Survey Facts

The time is now for most companies to select, buy and deploy technologies to achieve compliance within 18 months:
Companies across a variety of industries must comply with the PCI DSS requirements or risk steep penalties and fines most deem compliance very important to avoiding unnecessary risk and related costs. Many firms are actively engaged in the PCI DSS compliance process by examining the specific requirements, retaining a consultant and/or implementing technologies to satisfy the industry mandates.
- Despite the latest PCI DSS compliance requirements deadline having passed in June 2008, only 39 percent of respondents confirmed they are currently compliant.
- Of the 61 percent of respondents that are not yet compliant, 53 percent expect to become compliant within 12 months; 65 percent expect to be compliant within 18 months.
- 90 percent of those respondents not yet compliant view PCI DSS compliance as important; 44 percent consider it very or extremely important.

Authentication and access technologies are clear priorities to achieving PCI DSS compliance:
The PCI DSS regulations cover twelve specific areas across IT disciplines, with many tied to authentication and access technologies that are the current focus of investments for respondents' compliance efforts. Many respondents have outlined specific authentication and access technologies as areas they still need to invest in to satisfy compliance requirements and to achieve key security objectives overall.
To control individual access to computing resources and cardholder information, 74 percent have assigned a unique user ID, 63 percent have deployed strong authentication technologies and 63 percent have deployed password management technologies
- 35 percent of respondents have already deployed single sign-on (SSO), and 39 percent have deployed physical access security cards.
- In pursuit of PCI DSS compliance to satisfy the 12 specific regulations: 68 percent of respondents have already restricted access to cardholder data based on need-to-know; 73 percent have assigned a unique ID to each person with computer access; 75 percent restrict physical access to cardholder data; 70 percent track and monitor all access to network resources and cardholder data.

Companies are moving beyond simple 'check-box' compliance to deploy best-of-breed security technologies and establish best practices:
As companies work towards meeting the PCI DSS mandates, there is a group of respondents that are concerned with more than simple compliance. Instead, while interested in compliance, their primary driver is to improve their security in a holistic manner.
- 26 percent of those not yet compliant aim to have the best security available in the industry to protect data.
- 31 percent acknowledge the risk of significant penalties is their primary driver for achieving PCI DSS compliance.

The study was conducted in June and July 2008, culminating in 64 responses from IT decision-makers across the U.S. spanning every major industry.

write your comments about the article :: 2008 Networking News :: home page