Survey of Qualified Security Assessors (QSAs) reveals new information on how merchants are coping with compliance and spending on annual compliance assessments
Thales, leader in information systems and communications security, announces the industry’s first ever look into Qualified Security Assessors’ (QSAs) preferences, recommendations and costs. These results are now available in the newly released report,
This report is based on research conducted by The Ponemon Institute on behalf of Thales.
The report reveals that while only two percent of businesses outright fail compliance audits, 41 percent would fail if unable to rely on temporary compensating controls to meet Payment Card Industry Data Security Standard (PCI DSS) requirements. These alternative routes to compliance must meet QSA approval, but they may be just temporary fixes or be eliminated by future changes to PCI DSS. Their prevalence appears to indicate businesses are still coming up to the speed with the security standard introduced in 2006.
“This study is the first ever to analyze PCI DSS compliance trends from the QSA perspective and reveals some very interesting information about the way organizations approach compliance and how they protect sensitive information,” says Dr Larry Ponemon, chairman and founder of The Ponemon Institute. "PCI DSS compliance isn’t easy and it’s definitely not all about any one technology or process. This study indicates a significant concern among QSAs that many merchants are primarily focused on complying with PCI and less on what should be equally important – protecting sensitive information.”
When it comes to compliance, QSAs find the most difficult requirement for merchants to meet is restricting access to cardholder data on a business-driven need-to-know basis (PCI DSS Requirement #7) and QSAs believe this is the most important part in achieving PCI DSS compliance. QSAs also find the most significant threats to card data are in merchant networks and databases containing cardholder data. Not surprisingly these are the places where criminals have caused the highly publicized data breaches in recent years.
The new research found that 60 percent of QSAs believe encryption is the most effective means to protect card data end-to-end – from the moment it is accepted at the Point-Of-Sale (POS) to when the transaction is authorized. New technologies like tokenization are also gaining attention of QSAs, 35 percent of QSAs prefer this method for protecting cardholder data end-to-end.
For 41 percent of QSAs, controlling access to encryption keys is the most difficult key management task faced by clients using encryption. To make encryption work for clients, 81 percent of QSAs recommend the use of a hardware security module (HSM) for encryption and key management. HSMs are specialized devices used to make protecting and managing keys easier. To this point, 63 percent of QSAs believe that using HSMs reduce the time and money spent on compliance.
“Protecting customer and business data is top priority for every organization, but demonstrating compliance does not inherently translate into data security”, says Franck Greverie, Vice President, Managing Director for the information technology security activities of Thales. “Hopefully the results of this survey will help merchants better understand how QSAs view PCI DSS requirements and what works best to achieve compliance. Ultimately this will save merchants time and money and, most importantly, protect their business bottom line.”
The research also reveals that the average cost of annual QSA assessment – excluding technology, operating and staff costs – for the largest merchants (Tier 1) averages $225,000, while 10 percent of these large merchants pay $500,000 or more for QSA audits.
To view the full study and results click here
Stop by the Thales Booth #2123 at the RSA Conference March 1-5, 2010, Moscone Center, San Francisco, to get more information regarding the results of this survey and to discuss other issues relating to your security needs.
About the Ponemon Institute
The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.