New report issued by Fortrex, Emagined Security and Solidcore reveals the cost of PCI compliance is justified. Fortrex, in conjunction with Solidcore and Emagined Security have compiled a PCI compliance report that reveals the cost of a breach can easily be 20 times the cost of PCI compliance, more than justifying the up-front investment.
A joint analysis conducted by Solidcore Systems, Emagined Security and Fortrex
The Payment Card Industry Data Security The credit card companies divide merchants into various
Standard (PCI-DSS) was created by the levels based on the number of transactions processed every year. For example, Visa categorizes Level 1 merchants as credit card companies and is intended to those processing more than six million transactions. protect cardholder data wherever it resides, ensuring that merchants and service providers maintain the LEVEL # TRANSACTIONS highest degree of information security for their customers. Level 1 > 6 million While the standard is meant to have a positive impact on Level 2 1 - 6 million merchants, consumers and the retail industry, many retailers are still questioning its effectiveness and necessity in light of the high-cost to comply. A recent poll of 201 While each level is subject to a different set of compliance information technology (IT) and PCI compliance activities, the strictest rules and highest costs apply to Level professionals reinforces this point. The study found that 1 merchants. In 2006, Visa redefined how transaction 57% of respondents either experienced a compliance counts are derived to include ALL credit card transactions, control deficiency in the past year or did not know if they not just ecommerce. This change forced many merchants had a PCI compliance deficiency in the IT environment. up a tier or two when they factored in their traditional brick-and-mortar sales. In addition to transaction volume, any merchant that has suffered a hack or an attack resulting in account data being compromised is automatically required to meet Level 1 compliance requirements. Further, the acquirer (usually a bank who services the merchant's credit card receipts) may, at their discretion, require any merchant in its network to meet Level 1 requirements. As a best-practice, many Level 2 merchants are advised to follow the Level 1 requirements, regardless of activity level. Achieving PCI compliance, avoiding fines and retaining the privilege to accept credit cards requires merchants and service providers to address approximately 180 individual PCI requirements in 12 categories. The IT organization of Despite the costs of compliance, recent research conducted a Level 1 or Level 2 merchant running hard toward PCI by Solidcore Systems, Emagined Security, and Fortrex compliance can easily feel overwhelmed by the cost of reaffirms the importance of complying with the PCI-DSS. upgrading the infrastructure and paying for ongoing The research finds that the cost of compliance is only a infrastructure maintenance, as well as the assessment(s) small fraction of the potential cost of non-compliance for needed to verify compliance. And because participating Level 1 and Level 2 merchants. merchants must pay for their own PCI compliance assessments, the incremental cost of compliance depends Merchants and service providers must begin to look at the upon the extent to which the infrastructure is already in a PCI compliance requirements as an opportunity to compliant or near-compliant state. Multiple assessments improve IT operations and gain broader IT benefits from may also be needed to assure compliance, which is why it is an investment around PCI compliance. This means essential for merchants to work with an experienced looking beyond meeting the requirements for PCI and qualified security assessor (QSA) that has been approved by evaluating technologies that can help ensure continuous the PCI security standards council. PCI-DSS compliance as part of an IT organization's operations framework.
PCI Compliance Cost Analysis: A Justified Expense Page 2
Another recent poll conducted by Solidcore Systems and infrastructure not only include product costs, but also Emagined Security surveyed a group of 173 IT include the costs required for IT personnel to install and professionals responsible for PCI compliance, and found maintain the system... [download for more]
