Monday, March 29, 2010

QSA's Recommend End to End Encryption for Cardholder Data Protection

The Ponemon Institute recently published a study on PCI Compliance titled “PCI DSS Trends 2010: QSA Insights Report.” Published in March 2010, the study surveyed 155 QSAs worldwide to their opinions on PCI Compliance, PCI Compliance Costs, and encryption technology. Some of the more interesting findings include:

• Encryption is the favored technology for achieving end-to-end cardholder data protection. 60 percent of QSAs believe encryption is the best means to protect card dataend-to-end, compared to 35 percent for tokenization.

• Cost of annual audits averages $225,000 for the largest merchants. Excluding technology, operating, and staff costs, the world’s largest acceptors of credit cards (also known as Tier 1 merchants) are spending an average of $225,000 on auditor expenses. 10 percent of these businesses are spending $500,000 or more annually on PCI auditors. The average spend by Tier 1 retailers was:
15% <$100k 39% $101k - $200k 27% $201k - $300k 5% $301k - $400k 4% $401k - $500k 10% >$500k

• Almost half of the QSAs surveyed do not think their clients believe that PCI DSS improves data security. The results shown below are for the question, "Dlients don't believe PCI DSS improves data security?"
21% Strongly Agree
23% Agree
15% Unsure
19% Disagree
18% Strongly Agree


• When asked what are the most effective technologies for achieving PCI DSS compliance, 3 of the 4 top answers are encryption. The top 4 answers were:

1. Firewalls

2. Encryption for data at rest

3. Encryption for data in motion

4. Endpoint encryption solutions

• The QSAs surveyed think merchant networks are the most at risk systems for data breaches, followed by merchant databases and POS systems, all places where end to end encryption will protect cardholder data. The QSAs ranked the following systems as most at risk for a cardholder data breach. End to end encryption can protect data in each of these merchant systems.

51% Merchant Networks

43% Merchant Databases

33% Point of Sale Systems

30% Payment Applications


• When asked how to best protect cardholder data, encryption was the choice 51% of QSAs as for protecting cardholder data.


• A full copy of the study can be found by registering here.

0 comments:

Post a Comment