PCI Compliance:
The Payment Card Industry Data Security Standard (PCI-DSS) was created by the credit card companies and is intended to protect cardholder data wherever it resides, ensuring that merchants and service providers maintain the highest degree of information security for their customers. While the standard is meant to have a positive impact on merchants, consumers and the retail industry, many retailers are still questioning its effectiveness and necessity in light of the high-cost to comply. A recent poll of 201 information technology (IT) and PCI compliance professionals reinforces this point. The study found that 57% of respondents either experienced a compliance control deficiency in the past year or did not know if they had a PCI compliance deficiency in the IT environment.
Despite the costs of compliance, recent research conducted by Solidcore Systems, Emagined Security, and Fortrex reaffirms the importance of complying with the PCI-DSS. The research finds that the cost of compliance is only a small fraction of the potential cost of non-compliance for Level 1 and Level 2 merchants.
Merchants and service providers must begin to look at the PCI compliance requirements as an opportunity to improve IT operations and gain broader IT benefits from an investment around PCI compliance. This means looking beyond meeting the requirements for PCI and evaluating technologies that can help ensure continuous PCI-DSS compliance as part of an IT organization’s operations framework.
The credit card companies divide merchants into various levels based on the number of transactions processed every year. For example, Visa categorizes Level 1 merchants as those processing more than six million transactions.
While each level is subject to a different set of compliance activities, the strictest rules and highest costs apply to Level 1 merchants. In 2006, Visa redefined how transaction counts are derived to include ALL credit card transactions, not just ecommerce. This change forced many merchants up a tier or two when they factored in their traditional brick-and-mortar sales. In addition to transaction volume, any merchant that has suffered a hack or an attack resulting in account data being compromised is automatically required to meet Level 1 compliance requirements. Further, the acquirer (usually a bank who services the merchant’s credit card receipts) may, at their discretion, require any merchant in its network to meet Level 1 requirements. As a best-practice, many Level 2 merchants are advised to follow the Level 1 requirements, regardless of activity level.
Achieving PCI compliance, avoiding fines and retaining the privilege to accept credit cards requires merchants and service providers to address approximately 180 individual PCI requirements in 12 categories. The IT organization of a Level 1 or Level 2 merchant running hard toward PCI compliance can easily feel overwhelmed by the cost of upgrading the infrastructure and paying for ongoing infrastructure maintenance, as well as the assessment(s) needed to verify compliance. And because participating merchants must pay for their own PCI compliance assessments, the incremental cost of compliance depends upon the extent to which the infrastructure is already in a compliant or near-compliant state. Multiple assessments may also be needed to assure compliance, which is why it is essential for merchants to work with an experienced qualified security assessor (QSA) that has been approved by the PCI security standards council.
Another recent poll conducted by Solidcore Systems and Emagined Security surveyed a group of 173 IT professionals responsible for PCI compliance, and found that only 6% were completely confident they would not experience a data breach following a successful PCI compliance assessment. This reinforces the importance of working with an experienced QSA that can help the IT organization properly understand and set expectations around PCI compliance.
The Three Cost Categories of PCI-DSS
For the purposes of conducting this analysis, Solidcore, Emagined and Fortrex divided the costs tied to PCI-DSS compliance into three categories: Upgrading systems, assessments, and sustaining compliance.
Cost 1: Upgrading Infrastructure – Merchants and service providers must ensure that computer systems processing payment and cardholder information are upgraded in accordance with the PCI-DSS requirements. For many Level 1 and Level 2 merchants, much of the security infrastructure may already be in place. However, some may find the need to purchase and install new infrastructure components including and not limited to additional firewalls, upgraded anti-virus, anti-spyware and full-spectrum messaging security software, secure wireless systems, data encryption technologies, and file-integrity monitoring software.
