Identity Management Trends in PCI Compliance Survey Findings

The other week, we announced some findings from a survey conducted over the past couple of months aimed at understanding where authentication and access management sits in the eyes of those concerned with Payment Card Industry (PCI) data security standards (DSS). With PCI publishing the latest PCI Data Security Standard 1.2 on Oct. 1, 2008, this online survey highlighted some interesting trends as companies work toward compliance.

Here are a few stats to briefly call out:

  • Despite the latest PCI DSS compliance requirements deadline having passed in June 2008, only 39 percent of respondents confirmed they are currently compliant
  • Of the 61 percent of respondents that are not yet compliant, 53 percent expect to become compliant within 12 months; 65 percent expect to be compliant within 18 months

Clearly, PCI DSS still has a long way to go if more than 60 percent of respondents aren't yet compliant, but it looks like a clear priority over the next 12-18 months for most companies. Of the 12 areas across IT disciplines that PCI DSS addresses, many are tied to access and authentication technologies - after all, the goal is to control access to critical customer information. Deployments of single sign-on, strong authentication and physical-logical security integrations with specific ties to compliance are increasing and/or in the works for most respondents in the short term.

  • To control individual access to computing resources and cardholder information, of those that are now compliant, 74 percent have assigned a unique user ID, 63 percent have deployed strong authentication technologies and 63 percent have deployed password management technologies

Managing IDs is tough enough when one considers how many different systems employees at most companies interact with, so it is great to see that 74 percent or respondents have assigned a unique user ID for each employee. A unique ID and strong authentication is critical in ensuring there is a link between a logon id and an individual's true identity. This is critical not only for audit purposes but it also acts as deterrence.

  • 26 percent of those not yet compliant aim to have the best security available in the industry to protect data

A surprising tidbit that came from this survey is that more than a quarter of respondents are less driven specifically by compliance of industry regulation and more driven to make sure they have the best security available in place. This is a positive trend as often times security investments had been relegated to the minimalist checklist of what was required to have 'good enough' security. This confirms the anecdotal evidence that companies are increasingly becoming more aware of the potential damage to their public image and are determined not to be in the headlines for the wrong reasons.

For the full Executive Summary of the report, click here, and for the press release, click here.

How's your PCI DSS compliance coming along?

-David