News Releases3 min read

New Cyber Security Survey Shows Only 12% of UK Organisations are Completely Confident their Endpoints are PCI Compliant

46% of respondents indicated they cannot adequately monitor and control access to critical data on their POS systems

Lack of knowledge about PCI compliance could lead to security weaknesses

London UK, 9 July, 2014—Bit9® + Carbon Black, the leader in endpoint threat prevention, detection and response, today announced the results of a cyber security study which show that only 12% of IT organisations in the UK are completely confident that their endpoints are compliant with PCI DSS V.3.0. This points to poor cyber-security safeguards for those systems that process credit card payments and handle customers’ personally identifiable information (PII).

While 94% of respondents said they have heard of PCI compliance, and 66% acknowledged that PCI applies to their organisations, only 21% admitted they feel up-to-speed regarding PCI compliance requirements.

Almost half (46%) of respondents working in organisations with POS systemsndicated that they cannot adequately monitor and control access to critical data on their endpoints (i.e., credit card data and personally identifiable information)—suggesting that endpoint systems and payment card data are largely unprotected and vulnerable to being breached.

Additionally, only one-fifth (20%) of those with POS systems could definitely say that their systems have not been targeted by cyber attacks, and almost half (47%) admitted that they have no way of being certain. Only 52% of POS users surveyed are confident, or very confident, that their current security system is able to stop advanced threats or targeted attacks against their POS systems.

“These results highlight a major lack of confidence and knowledge around PCI 3.0 with an urgent need for organisations to improve protection of endpoint systems and the credit card data they house, against cyber threats”, commented Christopher Strand, senior director, compliance for Bit9 + Carbon Black.

The survey, conducted by Vanson Bourne, covered 250 UK IT decision makers, working in organisations of at least 250 employees, across a spread of industries.

Other findings include:

  • Only 10% of the IT budget is being spent on meeting new PCI 3.0 requirements (in organisations where PCI is relevant)—data breaches can lead to catastrophic consequences, and organisations must prioritise compliance regulations and ensure their house is in order.
  • Only 12% of those in organisations where PCI compliance is relevant completely confident that their organisation’s retail endpoints are PCI compliant and endpoint vulnerability continues to be the biggest concern for almost four out of 10 decision makers (38%)—in order to truly protect endpoint systems and the credit card data they process against cyber threats requires a thorough knowledge of how to implement all 12 PCI requirements, said Strand.
  • It currently takes, on average, eight days for organisations that need to work with PCI, to conduct pre-compliance data gathering for PCI assessment.
  • 74% of respondents were still relying on systems running Windows XP. Only (29%) of these were expecting to deploy a new operating system in the near term, despite the fact that XP has reached end of life. This highlights the vulnerability of systems—not only do organisations risk failing PCI compliance and facing potential fines, they may also make themselves more vulnerable to cyber attacks.

Responding to the findings, Strand added: “In an industry fraught with identity theft and cyber crime, it’s essential that companies protect their customers’ credit card data and personal information. This can only be achieved by putting in place a positive security model that will monitor and control all servers, endpoints and critical data. Whilst the PCI regulations may seem intimidating, the results of a breach far outweigh the effort involved in ensuring your organisation is compliant.”

About Vanson Bourne
Vanson Bourne is an independent specialist in market research for the technology sector. Its reputation for robust and credible research-based analysis, is founded upon rigorous research principles and an ability to seek the opinions of senior decision makers across technical and business functions, in all business sectors and all major markets.

About Bit9 + Carbon Black
Bit9 + Carbon Black offers the most complete solution against the advanced threats that target your organization’s endpoints and servers. This makes it easier for you to see—and immediately stop—those threats.

Carbon Black’s lightweight endpoint sensor, which can be rapidly deployed with no configuration to enable detection and response in seconds, combined with Bit9’s industry-leading prevention technology, delivers four key benefits:

  • Continuous, real-time visibility into what’s happening on every computer
  • Real-time threat detection, without relying on signatures
  • Instant response by seeing the full “kill chain” of any attack
  • Prevention that is proactive and customizable

Thousands of organizations worldwide—from 25 Fortune 100 companies to small businesses—use Bit9 + Carbon Black to increase security, reduce operational costs and improve compliance. Leading managed security service providers (MSSP) and incident response (IR) companies have made Bit9 + Carbon Black a core component of their detection and response services. With Bit9 + Carbon Black, you can arm your endpoints against advanced threats. For more information, visit our website.


Bit9 is a registered trademark of Bit9, Inc. All other company or product names may be the trademarks of their respective owners.