National Survey Finds Most Companies Expect to be Compliant with PCI Standards within 18 Months

Findings indicate authentication and access among top priorities; 44 percent have deployed two-factor authentication; 26 percent aim to go beyond compliance to deploy best practices and technologies

LEXINGTON, MA- October 27, 2008- Imprivata®, Inc., the converged authentication and access management company, announced the results of a national survey examining Identity Management Trends in PCI Compliance 2008, covering the state of Payment Card Industry (PCI) data security standards (DSS) and compliance spanning companies over a cross-section of industries. Timely with the PCI Data Security Standard 1.2 being recently released on Oct. 1, 2008, this online survey of IT decision makers covered companies of all sizes and highlighted trends and the role of authentication and access technologies in achieving compliance.

Survey Facts

The time is now for most companies to select, buy and deploy technologies to achieve compliance within 18 months:

  • Companies across a variety of industries must comply with the PCI DSS requirements or risk steep penalties and fines – most deem compliance very important to avoiding unnecessary risk and related costs. Many firms are actively engaged in the PCI DSS compliance process by examining the specific requirements, retaining a consultant and/or implementing technologies to satisfy the industry mandates.
  • Despite the latest PCI DSS compliance requirements deadline having passed in June2008, only 39 percent of respondents confirmed they are currently compliant
  • Of the 61 percent of respondents that are not yet compliant, 53 percent expect to become compliant within 12 months; 65 percent expect to be compliant within 18 months
  • 90 percent of those respondents not yet compliant view PCI DSS compliance as important; 44 percent consider it very or extremely important

Authentication and access technologies are clear priorities to achieving PCI DSS compliance:

  • The PCI DSS regulations cover twelve specific areas across IT disciplines, with many tied to authentication and access technologies that are the current focus of investments for respondents’ compliance efforts. Many respondents have outlined specific authentication and access technologies as areas they still need to invest in to satisfy compliance requirements and to achieve key security objectives overall.
  • To control individual access to computing resources and cardholder information, 74 percent have assigned a unique user ID, 63 percent have deployed strong authentication technologies and 63 percent have deployed password management technologies
  • 35 percent of respondents have already deployed single sign-on (SSO), and 39 percent have deployed physical access security cards
  • In pursuit of PCI DSS compliance to satisfy the 12 specific regulations: 68 percent of respondents have already restricted access to cardholder data based on need-to-know; 73 percent have assigned a unique ID to each person with computer access; 75 percent restrict physical access to cardholder data; 70 percent track and monitor all access to network resources and cardholder data

Companies are moving beyond simple ‘check-box’ compliance to deploy best-of-breed security technologies and establish best practices:

  • As companies work towards meeting the PCI DSS mandates, there is a group of respondents that are concerned with more than simple compliance. Instead, while interested in compliance, their primary driver is to improve their security in a holistic manner.
  • 26 percent of those not yet compliant aim to have the best security available in the industry to protect data
  • 31 percent acknowledge the risk of significant penalties is their primary driver for achieving PCI DSS compliance

The study was conducted in June and July 2008, culminating in 64 responses from IT decision-makers across the U.S. spanning every major industry.

Finding the Right Path to PCI Compliance Webinar
Ali Pabrai, CISSP (ISSAP, ISSMP), CSCS, chief executive of ecfirst, will discuss the survey findings and discuss best practices for achieving PCI DSS compliance via a webinar, “Finding the Right Path to PCI Compliance,” on Thursday, Oct. 30 at 11:00 am ET.
 

Links
Full results of the “Identity Management Trends in PCI Compliance 2008”.

Quote attributed to Omar Hussain, President and CEO, Imprivata, Inc.
“Ensuring PCI DSS compliance is at the top of the list for organizations taking payment card information – more so now than ever before with the latest deadline having recently passed and the final set of requirements and documentation to be issued by the end of 2008. Though a large majority of companies are still not yet compliant, they are actively engaged in efforts to achieve compliance. Authentication and access technologies are clearly among the highest priority, as they can satisfy a number of requirements simultaneously.”

About Imprivata
Imprivata is the converged authentication and access management company. Its OneSign platform helps organizations safeguard enterprise information assets by enabling secure employee access to networks and applications—improving user productivity and convenience, while reducing the time, risk and cost of complying with data privacy and protection regulations. OneSign has received top ratings in product reviews throughout the industry and has been awarded numerous accolades from leading publications including Information Security, InfoWorld and SC Magazine. Headquartered in Lexington, Mass., Imprivata is one of the fastest growing IAM companies with more than 650 customers and over 200 partners around the world.For more information, visit http://www.imprivata.com.

Imprivata is a registered trademark of Imprivata, Inc. in the USA and other countries. All other product or company names mentioned are the property of their respective owners.