Public disclosures of security breaches involving consumer cardholder data continue to be a threat to consumer confidence in payment cards, and a growing source of financial risk for the payment card industry. The payment card industry has made steady progress in establishing a common set of security standards, evangelizing best practices, and encouraging adoption. Aberdeen's research shows that the Best-in-Class organizations have indeed achieved superior protection of cardholder data through compliance with PCI DSS.
To distinguish best-in-class companies from Industry Average and Laggard organizations, Aberdeen used the following performance criteria:
- Reporting of PCI compliance as a result of an internal audit or an external audit by a Qualified Security Assessor
- Number of non-compliance incidents (e.g., audit failures) related to protecting cardholder data over the last 12 months
- Number of actual data loss incidents over the last 12 months
Companies with top performance based on the criteria earned best-in-class status.
Survey results show that the firms enjoying best-in-class performance shared several common characteristics, including the following:
- 77% have conducted formal risk assessments, and 68% have conducted vulnerability assessments, for all system components in the card processing environment
- 77% have a responsible executive or team with ownership for leading the PCI DSS compliance effort; 59% have implemented formal security awareness and training programs around PCI DSS
- 76% have segmented their network to isolate systems that store, process of transmit cardholder data from those that do not, thus reducing the scope of the PCI compliance effort
- 50% have eliminated storage of cardholder data and sensitive authentication data post-authorization; 41% have eliminated cardholder data in unstructured files outside the card processing environment
In addition to the specific recommendations in Chapter Three of this report, to achieve best-in-class performance in protecting cardholder data companies should map their existing security controls to PCI DSS, and leverage PCI DSS as a framework to guide their implementation of new or enhanced security controls. In addition, upon successful compliance with PCI DSS they should extend those controls to drive better protection of other sensitive business data, and to address compliance with other standards and regulations.