National Survey Finds Most Companies Expect to Be Compliant with PCI Standards within 18 Months
Findings indicate authentication and access among top priorities; 44 percent have deployed two-factor authentication; 26 percent aim to go beyond compliance to deploy best practices and technologies
LEXINGTON, Mass.–(BUSINESS WIRE)–Imprivata®, Inc., the converged authentication and access management company, announced the results of a national survey examining Identity Management Trends in PCI Compliance 2008, covering the state of Payment Card Industry (PCI) data security standards (DSS) and compliance spanning companies over a cross-section of industries. Timely with the PCI Data Security Standard 1.2 being recently released on Oct. 1, 2008, this online survey of IT decision makers covered companies of all sizes and highlighted trends and the role of authentication and access technologies in achieving compliance.
The time is now for most companies to select, buy and deploy technologies to achieve compliance within 18 months:
Companies across a variety of industries must comply with the PCI DSS requirements or risk steep penalties and fines – most deem compliance very important to avoiding unnecessary risk and related costs. Many firms are actively engaged in the PCI DSS compliance process by examining the specific requirements, retaining a consultant and/or implementing technologies to satisfy the industry mandates.
Despite the latest PCI DSS compliance requirements deadline having passed in June 2008, only 39 percent of respondents confirmed they are currently compliant
Of the 61 percent of respondents that are not yet compliant, 53 percent expect to become compliant within 12 months; 65 percent expect to be compliant within 18 months
90 percent of those respondents not yet compliant view PCI DSS compliance as important; 44 percent consider it very or extremely important
Authentication and access technologies are clear priorities to achieving PCI DSS compliance:
The PCI DSS regulations cover twelve specific areas across IT disciplines, with many tied to authentication and access technologies that are the current focus of investments for respondents’ compliance efforts. Many respondents have outlined specific authentication and access technologies as areas they still need to invest in to satisfy compliance requirements and to achieve key security objectives overall.
To control individual access to computing resources and cardholder information, 74 percent have assigned a unique user ID, 63 percent have deployed strong authentication technologies and 63 percent have deployed password management technologies
35 percent of respondents have already deployed single sign-on (SSO), and 39 percent have deployed physical access security cards
In pursuit of PCI DSS compliance to satisfy the 12 specific regulations: 68 percent of respondents have already restricted access to cardholder data based on need-to-know; 73 percent have assigned a unique ID to each person with computer access; 75 percent restrict physical access to cardholder data; 70 percent track and monitor all access to network resources and cardholder data
Companies are moving beyond simple ‘check-box’ compliance to deploy best-of-breed security technologies and establish best practices:
As companies work towards meeting the PCI DSS mandates, there is a group of respondents that are concerned with more than simple compliance. Instead, while interested in compliance, their primary driver is to improve their security in a holistic manner.
— 26 percent of those not yet compliant aim to have the best security available in the industry to protect data
— 31 percent acknowledge the risk of significant penalties is their primary driver for achieving PCI DSS compliance
The study was conducted in June and July 2008, culminating in 64 responses from IT decision-makers across the U.S. spanning every major industry.