A report by The Ponemon Institute on behalf of Thales, released information regarding the Qualified Security Assessors’ recommendations and costs for the information and communication security industry.
The report titled, PCI DSS Trends 2010 – QSA Insights, found that 41% of businesses would fail compliance audits if unable to rely on temporary compensating controls to meet Payment Card Industry Data Security Standard (PCI DSS) requirements.
Feedback and suggestions from the assessors include comments on PCI requirements and data encryption solutions. For example, assessors find the most difficult requirement in PCI is restricting access to cardholder data on a business-driven need-to-know basis
Additionally, 41% of assessors, controlling access to encryption keys is the most difficult key management task faced by clients using encryption. 81 percent of assessors suggest the use of a hardware security module for encryption and key management as a more user-friendly option.
This study shows that many merchants are primarily focused on complying with PCI and less on protecting sensitive information, which has become the primary concern among assessors.