Press Releases

Press Release

Survey Examines Plans For Enterprises to Comply With Payment Card Industry Data Security Standards (PCI DSS)

BOCA RATON, FL and ALBUQUERQUE, NM, Nov. 20, 2007 — According to data gleaned from the Third Annual Enterprise IT Security Survey of 350 IT managers and network administrators commissioned by VanDyke Software®, of the 175 respondents that answered a question about when they intend to take action to become more compliant with Payment Card Industry Data Security Standards (PCI DSS), 38.85% said they will take action within the next 6 months, while 37.71% said they would take action within the next 7 to 12 months. Meanwhile, 13.71% said they would take action in the next 13 to 18 months, and 1.71% indicated beyond 18 months, while 8% responded "Don’t know".

The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information. The PCI DSS was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover, and American Express.

"Over 80 percent of the survey respondents working for organizations which accept credit card payments at point of sale, over the internet, by mail, or by phone said they were PCI DSS compliant – with 33% saying they were compliant, and 48 percent saying they were very compliant," said Steve Birnkrant, CEO of Amplitude Research. Furthermore, of the 212 respondents that indicated their organization accepts credit card payments, 40% indicated that their organization had been audited for compliance with the PCI Data Security Standards.

The PCI DSS specifies and elaborates on six major objectives.

•  First, a secure network must be maintained in which transactions can be conducted. This requirement involves the use of firewalls that are robust enough to be effective without causing undue inconvenience to cardholders or vendors. Specialized firewalls are available for wireless LANs, which are highly vulnerable to eavesdropping and attacks by malicious hackers. In addition, authentication data such as personal identification numbers (PINs) and passwords must not involve defaults supplied by the vendors. Customers should be able to conveniently and frequently change such data.
•  Second, cardholder information must be protected wherever it is stored. Repositories with vital data such as dates of birth, mothers' maiden names, Social Security numbers, phone numbers, and mailing addresses should be secure against hacking. When cardholder data is transmitted through public networks, that data must be encrypted in an effective way. Digital encryption is important in all forms of credit-card transactions, but particularly in e-commerce conducted on the internet.
•  Third, systems should be protected against the activities of malicious hackers by using frequently updated anti-virus software, anti- spyware programs, and other anti-malware solutions. All applications should be free of bugs and vulnerabilities that might open the door to exploits in which cardholder data could be stolen or altered. Patches offered by software and operating system vendors should be regularly installed to ensure the highest possible level of vulnerability management.
•  Fourth, access to system information and operations should be restricted and controlled. Cardholders should not have to provide information to businesses unless those businesses must know that information to protect themselves and effectively carry out a transaction. Every person who uses a computer in the system must be assigned a unique and confidential identification name or number. Cardholder data should be protected physically as well as electronically. Examples include the use of document shredders, avoidance of unnecessary paper document duplication, and locks and chains on dumpsters to discourage criminals who would otherwise rummage through the trash.
•  Fifth, networks must be constantly monitored and regularly tested to ensure that all security measures and processes are in place, are functioning properly, and are kept up-do-date. For example, anti-virus and anti-spyware programs should be provided with the latest definitions and signatures. These programs should scan all exchanged data, all applications, all random-access memory (RAM) and all storage media frequently if not continuously.
•  Sixth, a formal information security policy must be defined, maintained, and followed at all times and by all participating entities. Enforcement measures such as audits and penalties for non-compliance may be necessary.

The 2007 study was conducted by Amplitude Research over the period October 2nd to October 5th 2007 among its nationwide web panel and had 350 total survey respondents with a margin of error of 5.2%. To obtain an executive summary of the 2007 survey results, contact Michael Krems of Krems Public Relations at krems@kremspr.com.

About Amplitude Research, Inc.

Amplitude Research® (www.amplituderesearch.com) is a privately owned survey research organization headquartered in Boca Raton, Florida, with blue chip clients located throughout the United States and Canada. Amplitude combines its powerful survey platform, experienced survey administration, proprietary web sample, and high-quality reporting to deliver Loud and Clear™ results. Its leadership team has over 30 years of experience in quantitative survey research, and is supported by its staff of survey design experts, statisticians, project managers, and IT professionals.

Amplitude's 10,000+ member IT panel (www.panelspeak.com) was formed in early 2002 and consists of five distinct segments: (i) C level or higher IT professionals including CTOs, CIOs, and MIS managers; (ii) developers, software engineers, programmers, database administrators, and security experts; (iii) systems administrators, network administrators, and networking managers; (iv) business executives at smaller size technology companies such as CEOs, CFOs, and senior managers; and (v) other IT professionals such as project managers, technical support specialists, and intranet managers.

The name "Amplitude" Research and its tagline "loud and clear" signify Amplitude's commitment to high-quality reporting with clear and concise presentation of the findings.

About VanDyke Software, Inc.

IT professionals who are responsible for network administration and end-user access where security is critical rely on VanDyke Software's rock solid and easy to configure software. The company develops secure, standards-based data access, file transfer, and communications software for internet and intranet use by corporations, government, and education. VanDyke Software consistently delivers accurate, responsive support, and addresses its customers' evolving needs with timely product enhancements. VanDyke offers a fully-supported 30-day evaluation of its products prior to purchase. For more information about VanDyke Software, visit the company's website at www.vandyke.com.