The Security Dark Reading
blog posted an article called "PCI Compliance May Mean Fewer Breaches, Study Says
" which summarizes some of the key findings of the Ponemon Institute study
on the effectiveness of the PCI DSS standard. The headline statistic from the study was that 64% of companies that had been compliant with PCI-DSS for the past year reported no security breaches while only 38% of companies that are not PCI-DSS compliant made that claim. Assuming he study was well structured and the analysis controlled for other factors, that's a significant difference.
But there is still a large degree of skepticism about the PCI-DSS standard. As the Dark Reading article notes:
"only 33 percent [of respondents] believe that PCI-DSS compliance expenditure is covered by the value it brings to an organization.
My interpretation of that statistic is that even if you can say that security had been improved, the respondents didn't believe that the investment in PCI-DSS compliance was cost effective. That's a fair point, which makes me wonder about whether more detail can be put into the study to see the control set in te PCI-DSS standard can be improved or not. Are there controls that are superfluous? Are there controls that have bigger impact on security than others? These are the types of questions I'd like to see investigated.
I'd like to see the Ponemon institute survey the companies on a control by control basis and then look at theses results against which companies had or had not had a security breach in the past year. We might find that the Vulnerability Management related requirements in PCI-DSS were main contributor to improved security while the requirements around encrypting cardholder data have virtually no effect on improved security.
I have no idea. I don't have any pet theories about what's right or wrong with PCI-DSS. But these are the types of studies that would be great to see. We need data that shows which security investments are worthwhile and which aren't. The PCI-DSS skeptics have a fair point. It's not just about improving security, it's about improving security cost effectively.