I just read a report on a PCI survey quoting some PCI statistics: PCI DSS compliance generates results. According to a recent survey performed by Imperva and the Ponemon Institute, businesses tend to perceive PCI compliance as something that does not have a positive impact on their security systems. However, the survey's results indicate companies that maintain PCI-compliant systems are significantly more secure than their non-compliant counterparts.
While I think PCI is a good thing because in a round about way it forces merchants to recognize security, I question statistics like this -- particularly the first number quoted: "...64 percent of PCI compliant respondents did not experience a data breach involving credit card data during the past two years."
In the past Visa has stated "No compromised entity to date has been found to be in compliance with PCI DSS at the time of the breach. In all cases, forensic investigations have concluded that compliance deficiencies have been a major contributor to the breach." Based on this statement I question whether or not the 36 percent of the PCI compliant respondents that were breached were "PCI compliant?" A catch-22. The report should have said 100% of PCI compliant respondents were not breached vs. some percentage of the non-compliant respondents were breached.
Nit-picky I know, but as my blog byline states, random thoughts.
No comments:
Post a Comment