New research shows data security is still not high enough on the list of priorities for many firms, with PCI compliance also being ignored.

The research, from app security firm Imperva, may seem a little of the "they would say that" variety, but nevertheless illuminates the attitudes of many multinational firms when it comes to protecting sensitive customer data.

It found that 71 per cent of firms still don't treat data security as a top strategic initiative, while 55 per cent said they only secure credit card information and not other sensitive information such as Social Security numbers, driver's license numbers, and bank account details .

Unsurprisingly, the report said companies taking a strategic approach to PCI compliance have fewer data breaches.

More interestingly, nearly two thirds of the firms surveyed said they don't have the resources to comply with PCI. Given that many of these are multinationals, that figure seems alarmingly high, and if true, would seem to indicate security teams need to work harder to communicate to the business the importance of compliance with the standard.

"Security departments are using PCI compliance as leverage to gain more budget, but these resources are not always translating into greater security for sensitive customer data," said Larry Ponemon, chairman and founder, Ponemon Institute.

"The results of our study indicate that while some companies have figured out how to convert PCI standards into an overall security mandate--many more have not."