For Immediate Release – December 16, 2009
SAINT sponsors Aberdeen Research – The 2009 PCI DSS and Protecting Cardholder Data Report
Aberdeen Group’s third annual study on PCI DSS and protecting cardholder data shows that top performers achieve and sustain PCI compliance at 50% lower cost
Bethesda, MD – In a new benchmark study on PCI DSS and Protecting Cardholder Data, the organizations earning top results were found to achieve and sustain compliance with PCI DSS at a 50% lower cost than all other respondents. The third annual study on protecting cardholder data by Aberdeen Group, a Harte-Hanks Company (NYSE:HHS), provides year-over-year insights into the progress that affected organizations have made in achieving and sustaining compliance with PCI DSS, as well as the specific areas of greatest challenge.
The research showed that consistent network vulnerability scanning, application vulnerability scanning, and penetration testing are core capabilities for enhancing security and achieving and sustaining PCI compliance. The top-performing companies in the study are spending 61% less than all others in these areas, while achieving better results. The threat landscape is constantly changing, and realistically companies can neither adopt a "set and forget" approach to security nor hope that either the compliance requirements or the threats will simply go away. Most attacks can be avoided by being vigilant – regardless of whether the organization has been certified as PCI compliant.
Data protection represented an area of above-average investments that yielded below-average results for the majority of respondents, as well as one of the consistently largest gaps between the leading and lagging performers in current use of enabling technologies such as encryption, enterprise key management, content monitoring and filtering, and access management. While all companies should do a better job of leveraging these technologies to protect cardholder data in the here and now, they should also pay close attention to collaborations between payment processors and technology solution providers to promote alternatives such as tokenization and end-to-end encryption for the elimination of stored cardholder data altogether. The most effective way to protect data is not to block the attacker, but to take away the attacker's target.
"Over the course of three annual benchmark studies on PCI DSS and protecting cardholder data, Aberdeen's research has shown that for the leading organizations PCI compliance is a natural outcome of best practices in IT Security, as opposed to a mere check-the-box effort at compliance," said Derek E. Brink, CISSP, vice president and research fellow for IT Security, Aberdeen Group. "The top performers in the 2009 study achieve and sustain PCI compliance at a 50% lower cost than all other participants, while still dedicating sufficient resources for sustainable programs and improvements."
To view complimentary 30-minute webcasts highlighting findings from this and other Aberdeen IT Security research, visit http://www.brighttalk.com/channels/1209/view.
About Aberdeen Group, a Harte-Hanks Company
Aberdeen provides fact-based research and market intelligence that delivers demonstrable results. Having queried more than 30,000 companies in the past two years, Aberdeen is positioned to educate users to action: driving market awareness, creating demand, enabling sales, and delivering meaningful return-on-investment analysis. As the trusted advisor to the global technology markets, corporations turn to Aberdeen for insights that drive decisions.
SAINT Corporation provides network security tools to financial, government and educational institutions around the world. The SAINT® vulnerability scanner and penetration testing tools are recognized as industry leaders by top information security organizations and publications.