PCI Blog - Compliance Demystified

ROI of PCI compliance

Many companies spend time working the numbers to determine the return on investment (ROI) of information security. Universities and business departments fuss over the ROI calculation and how it can be applied to decision making processes. I’m not going to discuss or argue the different theories, but there is a clear and present ROI for PCI compliance, but unfortunate it’s not an easy one to calculate — you just have to know it.

Many ROI calculations are based on the cost of compliance charted against the risk of incremental penalties or one time compromises. Many companies feel their organization is secure and even with a threat of penalties they choose to not-comply due to high capital expenditure costs. The problem with this is that although the risk of a one-time compromise occurrence is low, the cost to a corporation if it occurs is extremely high.

Compliance, security, and risk are three entirely different things, although many people confuse or use the terms interchangeably. A viable and effective compliance program should factor in both security and risk, but rely entirely on neither. The reason ROI of compliance is difficult to calculate is because those who know anything about PCI compliance understand that there are sliding-scale factors such as: compensating controls, scope reduction trade-offs, and short-term vs long-term remediation timelines. Additionally, the compliance roadmap of a company is not static but one that is discussed and negotiated with the merchant’s acquiring bank. These are intangible factors that are difficult to factor into a budget worksheet. So how does one determine if you need to comply?

ROI factors in both the “benefits” and the “costs” in a variety of manners [PDF]:

• ROI = Benefits - Costs
• ROI = Benefits / Costs
• ROI = (Benefits - Costs) / Costs

Either way you stack it to make a number or a ratio you are balancing benefits and costs. In this case costs are simple and measured as the operational and capital costs of implementing the necessary information security measures. With sufficient planning these can be relatively fixed costs because capital expenditures can be amortized over the life of the asset. (Without proper planning a company must implement immediate fixes and thus will have higher capitalized costs.)

The benefits of compliance are what has eluded people for so long. Until 2007, companies have seen non-compliance as a simple risk equation of “will I get hacked? If not, then don’t comply; else comply.” Now they have to factor in the cost of monthly fees and decide if their decision to not comply was a good one. For large companies with a high cost of compliance (i.e. retail merchants) they may not care about the fines imposed for non-compliance.

Regardless of if the company is large or small the major benefit of compliance is in not getting hacked. Remember that companies have been asking themselves “Will I get hacked?”. If a company is hacked (large or small) it will be a very large cost, sometimes outweighing the original costs of compliance.

I use the “auto insurance” analogy often (although I am not hinting that companies procure cyberinsurance as it will not protect them against this risk for a variety of reasons.) People do not have auto insurance because it makes sense financially. If you consider auto insurance as an asset and your monthly payments as an amortized cost then the total cost over your life will usually not make sense for any individual to pay. The reason we have auto insurance, and the reason we comply with PCI, is because if you ever got in a major accident (or major compromise) you could be liable for costs that bankrupt you or your corporation.

Companies need to stop complianing about the cost of compliance and trying to justify the short term costs against potential fines. The fines are bread crumbs compared with the potential for a large data breach. Once a company understands this risk they should scrap their ROI formulas and invest more time in compliance with PCI.