thePCI Portal

PCI Compliant = Less Breaches (or at least it used to)

This is an article based on old (2011) data.  I used to have a post about it, but I think I lost it during a hosting provider changeover so I am going to rewrite it here referencing the old data for now.


In April 2011, Ponemon (and Imperva) published the results of a study which appeared to show a correlation between reduced data breeches and PCI DSS compliance status.  CSO Magazine wrote an article about the report here.  E-Week covered it here. Some of the highlights of the report:

  • PCI-compliant organizations suffered fewer or no data breaches in 2009 and 2010 compared to previous years
  • More than half, or 64 percent, of PCI-DSS compliant organizations reported suffering no data breaches involving credit card data over the past two years, according to the latest 2011 PCI DSS Compliance Trends Study released April 19. In comparison, only 38 percent of organizations which were not PCI-DSS compliant reported no breaches in 2009 and 2010.
  • The trend carried over to data breaches not limited to credit card theft, as well. About the same number, or 63 percent, of compliant organizations did not experience more than one incident over the same time period, compared to 22 percent of non-compliant companies. The report also found that 26 percent of non-compliant organizations reported more than five breaches over the same two years.

And on top of that, those interviewed at organizations were cynical about benefits of the PCI DSS:

  • Despite evidence to the contrary, the study also found that 88 percent of respondents did not support the claim that PCI-DSS compliance has a positive effect on the number of breaches experienced, and only 39 percent mentioned data security improvement as one of the regulation’s value propositions for business. In fact, only 33 percent believe that PCI-DSS compliance expenditure is covered by the value it brings to organization.
    “Looking at the figures regarding the actual decrease in data breaches and recent figures regarding the cost of data breaches, it seems that many practitioners have a much subverted perception of the value of PCI-DSS compliance,” said Larry Ponemon, chairman and co-founder of the Ponemon Institute.

The more things change, the less they do!  Is the breech correlation still in effect? Is there reduced cynicism about PCI DSS? If anyone has some more current data on the topic, please share!

Ad below this line:

Leave a Reply

Your email address will not be published. Required fields are marked *