PCI — Are You Compliant?


Data from IBM below shows striking failure rates on the requirements for PCI compliance (it's from 2008, but nothing gives me any confidence that companies actually got better at this in 2009).

PCI Compliance Failure Rates
PCI Compliance Failure Rates

Are you PCI compliant? How do you know? Do you have data to prove it? If you don't, then CAST can give you hard data on how you're doing against each of the starred requirements below.

The 12 PCI Requirements (* = CAST can help directly; ** = CAST can help indirectly).

  1. Install and maintain standardized firewall configurations to protect data. (66% of companies do not comply)
  2. Do not use vendor-supplied defaults for system passwords and other security parameters. (62% of companies are unable to say if this is the case)
  3. *Protect stored data. (first time audit failure rate is 79%)
  4. Encrypt the transmission of cardholder and sensitive information across public networks.
  5. Use and regularly update antivirus software or programs.
  6. *Develop and maintain secure systems and applications. (56% of companies fail)
  7. **Restrict access to data on a need-to-know basis.
  8. Assign a unique ID to each person in your company with computer access. (failure rate is 71%)
  9. **Restrict physical access to cardholder data. (failure rate is 59%)
  10. Track and monitor all access to network resources and cardholder data. (failure rate is 71%)
  11. *Regularly test security systems and processes. (failure rate is 74%)
  12. **Maintain a policy that addresses information security for employees and contractors. (failure rate is 60%)
Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
Making sense of cloud transitions for financial and telecoms firms Cloud  migration 2.0: shifting priorities for application modernization in 2019  Research Report
Load more reviews
Thank you for the review! Your review must be approved first
New code

You've already submitted a review for this item