SOURCE: Aberdeen Group

Aberdeen Group

December 09, 2009 10:00 ET

The 2009 PCI DSS and Protecting Cardholder Data Report

Aberdeen Group's Third Annual Study on PCI DSS and Protecting Cardholder Data Shows That Top Performers Achieve and Sustain PCI Compliance at 50% Lower Cost

BOSTON, MA--(Marketwire - December 9, 2009) - In a new study on PCI DSS and Protecting Cardholder Data, the organizations earning top results were found to achieve and sustain compliance with PCI DSS at a 50% lower cost than all other respondents. The third annual study on protecting cardholder data by Aberdeen Group, a Harte-Hanks Company (NYSE: HHS), provides year-over-year insights into the progress that affected organizations have made in achieving and sustaining compliance with PCI DSS, as well as the specific areas of greatest challenge.

The research showed that consistent network vulnerability scanning, application vulnerability scanning, and penetration testing are core capabilities for enhancing security and achieving and sustaining PCI compliance. The top-performing companies in the study are spending 61% less than all others in these areas, while achieving better results. The threat landscape is constantly changing, and realistically companies can neither adopt a "set and forget" approach to security nor hope that either the compliance requirements or the threats will simply go away. Most attacks can be avoided by being vigilant -- regardless of whether the organization has been certified as PCI compliant.

Data protection represented an area of above-average investments that yielded below-average results for the majority of respondents, as well as one of the consistently largest gaps between the leading and lagging performers in current use of enabling technologies such as encryption, enterprise key management, content monitoring and filtering, and access management. While all companies should do a better job of leveraging these technologies to protect cardholder data in the here and now, they should also pay close attention to collaborations between payment processors and technology solution providers to promote alternatives such as tokenization and end-to-end encryption for the elimination of stored cardholder data altogether. The most effective way to protect data is not to block the attacker, but to take away the attacker's target.

"Over the course of three annual benchmark studies on PCI DSS and protecting cardholder data, Aberdeen's research has shown that for the leading organizations PCI compliance is a natural outcome of best practices in IT Security, as opposed to a mere check-the-box effort at compliance," said Derek E. Brink, CISSP, vice president and research fellow for IT Security, Aberdeen Group. "The top performers in the 2009 study achieve and sustain PCI compliance at a 50% lower cost than all other participants, while still dedicating sufficient resources for sustainable programs and improvements."

A complimentary copy of "The 2009 PCI DSS and Protecting Cardholder Data" report is made available in part by the following underwriters: SAINT Corporation, and Tripwire.

To obtain a complimentary copy of the report, please visit:

To view complimentary 30-minute webcasts highlighting findings from this and other Aberdeen IT Security research, visit

For additional access to complimentary Information Technology research, visit

About Aberdeen Group, a Harte-Hanks Company

Aberdeen provides fact-based research and market intelligence that delivers demonstrable results. Having queried more than 30,000 companies in the past two years, Aberdeen is positioned to educate users to action: driving market awareness, creating demand, enabling sales, and delivering meaningful return-on-investment analysis. As the trusted advisor to the global technology markets, corporations turn to Aberdeen for insights that drive decisions.

As a Harte-Hanks Company, Aberdeen plays a key role of putting content in context for the global direct and targeted marketing company. Aberdeen's analytical and independent view of the "customer optimization" process of Harte-Hanks (Information - Opportunity - Insight - Engagement - Interaction) extends the client value and accentuates the strategic role Harte-Hanks brings to the market. For additional information, visit Aberdeen or call (617) 854-5200, or to learn more about Harte-Hanks, call (800) 456-9748.

© 2009 Aberdeen Group, Inc., a Harte-Hanks Company
451 D Street, Suite 710
Boston, Massachusetts 02210-1928
Telephone: (617) 854-5200
Fax: (617) 723-7897

Contact Information