Endpoint security company Bit9 and Carbon Black today announced the results of a cyber security study which show that only 12% of IT organisations in the UK are completely confident that their endpoints are compliant with PCI DSS V.3.0. This points to poor cyber-security safeguards for those systems that process credit card payments and handle customers’ personally identifiable information (PII).
While 94% of respondents said they have heard of PCI compliance, and 66% acknowledged that PCI applies to their organisations, only 21% admitted they feel up-to-speed regarding PCI compliance requirements.
Almost half (46%) of respondents working in organisations with POS systems indicated that they cannot adequately monitor and control access to critical data on their endpoints (i.e., credit card data and personally identifiable information)—suggesting that endpoint systems and payment card data are largely unprotected and vulnerable to being breached.
Additionally, only one-fifth (20%) of those with POS systems could definitely say that their systems have not been targeted by cyber attacks, and almost half (47%) admitted that they have no way of being certain. Only 52% of POS users surveyed are confident, or very confident, that their current security system is able to stop advanced threats or targeted attacks against their POS systems.
'These results highlight a major lack of confidence and knowledge around PCI 3.0 with an urgent need for organisations to improve protection of endpoint systems and the credit card data they house, against cyber threats', commented Christopher Strand, senior director, compliance for Bit9 + Carbon Black.
The survey, conducted by Vanson Bourne, covered 250 UK IT decision makers, working in organisations of at least 250 employees, across a spread of industries.
It also showed that only 10% of the IT budget is being spent on meeting new PCI 3.0 requirements (in organisations where PCI is relevant)—data breaches can lead to catastrophic consequences, and organisations must prioritise compliance regulations and ensure their house is in order.
Only 12% of those in organisations where PCI compliance is relevant were completely confident that their organisation's retail endpoints are PCI compliant and endpoint vulnerability continues to be the biggest concern for almost four out of 10 decision makers (38%)—in order to truly protect endpoint systems and the credit card data they process against cyber threats requires a thorough knowledge of how to implement all 12 PCI requirements, said Strand.
It currently takes, on average, eight days for organisations that need to work with PCI, to conduct pre-compliance data gathering for PCI assessment, and 74% of respondents were still relying on systems running Windows XP. Only (29%) of these were expecting to deploy a new operating system in the near term, despite the fact that XP has reached end of life. This highlights the vulnerability of systems—not only do organisations risk failing PCI compliance and facing potential fines, they may also make themselves more vulnerable to cyber attacks.
'In an industry fraught with identity theft and cyber crime, it's essential that companies protect their customers’ credit card data and personal information,' added Strand. 'This can only be achieved by putting in place a positive security model that will monitor and control all servers, endpoints and critical data. Whilst the PCI regulations may seem intimidating, the results of a breach far outweigh the effort involved in ensuring your organisation is compliant.'