Does PCI affect the bottom line?
June 16th, 2007 by admin Posted in Compliance
I have always believed in Newton’s third law of motion. It says that, “for every action there is an equal and opposite reaction.” This is why I think that PCI does affect the bottom line, and in a positive way.
The question is, will PCI have a positive or negative impact on your business. This blog has an interesting quote:
Robert Fort, director of IT at Virgin Entertainment Group Inc. in Los Angeles… contended that meeting the requirements doesn’t boost a retailer’s bottom line. “There’s no direct return on investment,†he said. “It will not help us sell CDs.
PCI may not directly sell more CDs or widgets, but not everything a company does sells more product. Companies should think more about protecting their customers as a method of selling more product.
Apple is one of the best companies at this. They have loyal customers who love their brand and their products. How do they accomplish this? By making and keeping their customers happy.
To think that PCI compliance will not affect your bottom line is a very short sighted view. Many people use compliance as a marketing move, others just want to protect their customers, and still others just want to be secure.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
8 Responses to “Does PCI affect the bottom line?”
By apm on Jun 17, 2007
I think the issue here is that business people focus on the next quarter’s results, the profit margin and share price. This means that InfoSec, which they perceive as a longer term issue takes a back seat.
I wrote about this on my blog (infosecandpcifromscratch.blogspot.com) with a short post entitled “The difference between business people and InfoSec people”.
Until people stop thinking of InfoSec as an “insurance policy” this is going to be the norm, unfortunately.
By Rob Newby on Jun 17, 2007
When I read comments like that from IT directors I want to go and shake them vigorously. You can bet your bottom dollar he was thinking he was really smart for knowing about PCI and rubbishing it as well.
OK buddy, it may not sell your CDs, but when Joe Hacker is stealing your customers’ credit card details from your underprotected IT infrastructure, (which by the way, YOU are responsible for) that WILL directly affect the bottom line.
So, yeah, go ahead, think of it as an insurance policy if you like, but more relevantly, think of it as completing your network, completing your duties as an IT Director and most importantly of all, your duty to your customers.
Otherwise you aren’t going to have very many left who feel particularly loyal for very long, and it will be exactly this positioning of yours that gets examined first when the inevitable breach occurs.
It amazes me that people are this ignorant in the first place, however what is short-sighted is advertising the fact that you are deliberately staying vulnerable, even in the face of fines. No, correction, it’s beyond short-sighted, it’s plain stupid.
By apm on Jun 17, 2007
@Rob,
I know what you actually mean but by saying “completing you network” it suggests that InfoSec is the last thing that is needed before the job is done.
Obviously, and I _know_ you know this because of your position on data security but leaving InfoSec until the last moment is another mistake.
InfoSec should be foundation work, in at the ground level, at the design stage, even the theoretical stage. If that happened then people would just accept it as part and parcel of the “job”.
Also, I recently posted on my blog about the customer loyalty issue and how I think it’s a dead argument. If I’m right (and obviously I think I am!!!) then pushing the customer confidence issue is dead thanks to TJX and their results.
By Alex on Jun 18, 2007
I don’t know guys. I see our side of the issue, but I also see his. Nobody’s telling Robert the value of PCI compliance is some defensible (and consistent) metric “V”.
I’d get pretty sick and tired of hearing: “Just spend $150,000 of budget and 6 man months because:
1.) The hackers will get us!”
2.) The auditors will get us!”
3.) The customers will get us!”
if I were him, too.
Yes, it sucks that other cost centers (accounting, facilities, etc…) don’t have to jump through these hoops to justify their existence, but that’s just the way it’s going to be until we do a better job at communication and metrics.
By apm on Jun 18, 2007
Sorry, I didn’t mean to say that PCI should be done at any cost. Of course cost benefit analysis should be used to judge costs against benefit, even to the extent of whether PCI compliance should be achieved at all.
In the UK, a high street newspaper / book shop decided to ignore the Chip and PIN compliance requirements within their shops because it would cost more than the fines. To this day, you still have to sign the transaction slip rather than entering your PIN. This is a good example of the CBA approach (I’m not saying I agree with it necessarily, just that it’s a good example of the process).
The days of “The hackers will get us” reasoning are well gone, pressurised profit margins have seen to that.
By Andy Barratt on Jun 29, 2007
This has always been a difficult one, as essentially the IT Director doesnt get much say in the matter. Yes PCI non compliance can adversly affect the bottom line, but Alex other cost centres get slapped about too..
Accounts, Finacial audit anyone?
Facilities, Health and Safety if you please?
Where I really feel for the IT Director is when they have some idiot CEO who thinks… “oh this is an IT issue” just take it out of your budget.
It gets interesting when IT / IS has the ability to chargeback to the business units it has to secure in order to meet the compliance requirements.
The funny thing is for some places PCI can be implemented with relatively low cost just by ringfencing the systems that are in scope, and appropriately defending them it doesnt always have to be a corporate wide thing, especially if you have lots of legacy systems that are going to impair your, encyrption, two factor auth etc etc.
Saw a shocker recently and their FD is now making money available to them as he can see the potential for another TKMax!!