Mary Beth West has been on the retailer’s board for 10 years.
Retailers and other organizations that have dedicated compliance managers or program offices for the Payment Card Industry Data Security Standard have better data security track records than other retailers, Aberdeen Group says.
Retailers and other organizations that have dedicated compliance managers or program offices for the Payment Card Industry Data Security Standard, commonly called PCI DSS, have better data security track records than other retailers, research advisory firm Aberdeen Group says in a new study “PCI DSS and Protecting Cardholder Data.”
Aberdeen found that so-called best-in-class organizations-those ranked in the top 20% based on PCI compliance performance-were two times more likely than the so-called laggards-those in the bottom 30%-to have a dedicated a PCI compliance manager or PCI program office.
The data security performance rating for best-in-class organizations was 11% higher than the industry average and 22% higher than the laggards, the study found.
“Beyond the mere reporting of compliance with PCI, between 40% and 50% of the top-performing companies actually reduced the number of failed audits and the number of data security incidents, as well as the time and cost to address them,” says Derek E. Brink, vice president and research fellow for IT Security, Aberdeen.
The top performing companies showed the strongest year-over-year improvements in vulnerability and risk assessments, infrastructure security, data protection, application security, and tracking and monitoring solutions, according to the study.
Among characteristics shared by the best-in-class companies are:
• 77% have conducted formal risk assessments, and 68% have conducted vulnerability assessments, for all system components in the card processing environment.
• 77% have a responsible executive or team with ownership for leading the PCI DSS compliance effort; 59% have implemented formal security awareness and training programs around PCI DSS.
• 76% have segmented their network to isolate systems that store, process or transmit cardholder data from those that do not, thus reducing the scope of the PCI compliance effort.
• 50% have eliminated storage of cardholder data and sensitive authentication data post-authorization; 41% have eliminated cardholder data in unstructured files outside the card processing environment.
• 48% have decreased the number of actual data loss incidents over the past 12 months.
• 48% have decreased the number of non-compliance incidents (audit failures) related to protecting cardholder data over the last 12 months.