Despite a slew of disastrous, high-profile identity theft cases in the past few years, companies conducting transactions both online and in their brick-and-mortar stores still aren’t doing enough to protect their customers’ personal and financial data, according to a new survey released by Imperva and the Ponemon Institute.
The survey, which queried IT security professionals responsible for securing data at 517 U.S. and multinational companies, found that 55 percent are securing credit card information but not Social Security numbers, bank account details and variety of other customer data.
Imperva, a data security software vendor and the Ponemon Institute, an independent research firm, embarked on the survey hoping to find out just how many companies were complying with the Payment Card Industry’s (PCI) Data Security Standard
(DSS) and how many were going above and beyond the credit card industry’s security benchmark.
“Companies know PCI DSS as a compliance requirement,” Larry Ponemon, the Institute’s founder and chairman said in a podcast detailing the survey results. “You have to do it and if you have the resources to do that, maybe with just a little bit more resources and maybe being smart in the spending on those resources, you can accomplish more and better security.”
Considering the damage done by hackers in recent years, both in dollars and consumer confidence, e-tailers are increasingly being compelled to go beyond the minimum compliance requirements to protect personal data.
Earlier this month, the alleged mastermind of the biggest identity
theft scam in U.S. history pleaded guilty to 20 federal
charges for his role in the T.J. Maxx credit and debit card heist. The Justice Department estimated that more than 40 million credit and debit cards were compromised in the scam.
Of the companies surveyed, 71 percent said they still weren’t making data security a top initiative in their IT budgets, even though 79 percent of them admitted that they had been hit by one or more data breaches since the PCI DSS standard was enacted in 2005.
The number one reason for this apparent lack of vigilance? Money.
“Companies devote 35 percent of their IT security budgets to PCI compliance on average, making cost a significant obstacle—especially for smaller companies,” Amichai Shulman, Imperva’s chief technology officer, said in the report.
“This is why Imperva is recommending that the PCI DSS Council modify the requirements for larger and smaller companies to take into account different environments and security needs.”
Only 28 percent of IT security leaders surveyed at companies with between
501 and 1,000 said they were in full compliance with PCI DSS, compared to 70 percent of companies with 75,000 or more employees.
Leadership was cited as another excuse for falling short. Fifty-five percent of those surveyed said they didn’t feel their CEO strongly supports PCI DSS compliance and another 52 percent said their company still isn’t proactive in managing privacy and security risks.
However, 75 percent said their company has achieved “some level” of compliance, with 28 percent compliant for “most” of their applications and databases and 25 percent in compliance for “some” of their applications and databases.
Most concerning to consumers? Only 22 percent of companies said they were in full compliance.
“I think we found that some organizations use PCI as an opportunity to do more and achieve a better outcome for their company,” Ponemon said.
And, according to the survey results, many more organizations still haven’t taken it upon themselves to do to achieve the best possible security for their customers.
In the first three months of this year alone, U.S. businesses reported 83 data security breaches that exposed the personal data of more than 1.1 million consumers, according to the Identity Theft Resource Center (ITRC).