Cost of PCI compliance?
Filed Under (Compliance, Merchant) by Michael Dahn on May-19-2008

Walt reminded me today of a conversation being had about the cost of PCI compliance.  Him and Scott have been calculating the cost of compliance within the USA.  They say it’s about $2 billion or more, give or take.  I cringe whenever someone calculates the cost of anything with so much variance.  It’s so difficult to determine the actual numbers because of the variance within each factor.  For example, within Level 1 merchants some are very, very large and others are very small.  Also, there is a variance in the mindset about compliance and the risk tolerance someone is willing to accept so they may implement different levels of each requirement.

It boggles the mind to think of how varied these numbers can be.  But what if.  What if you *could* calculate the total cost of compliance?  What good is that information?  Do you want to balance it against the cost of other alternatives for the industry?  The problem with such big numbers is that they rarely apply to the industry, but should apply to the individual.  It’s the old saying of “think globally, act locally.”  For example, companies quote the cost of card replacement, in the event of fraud, anywhere between $1 and $25 per card.  What does this large variance mean to the industry?  Not much, but it should mean something to the individual.  It should mean that, cumulative with other costs, it makes business sense for companies to comply with the PCI DSS.

I think the more interesting question is, “Why is the cost of compliance so high?” The answer here is that companies do not look to reduce the scope of compliance before pulling the trigger on security.  If business people drive the audit they look at cost and balance business requirements against security.  If security people drive the audit they will secure the hell out of a bad business process.  A part of defining scope is understanding the rules of compliance and your options for getting there.  Too often companies do not understand the intent behind each requirement, the attack vectors being used to perpetrate fraud, and thus do not understand how best to allocate security capital.

The resources are out there.  The truth is out there.  It’s your job to find it.  It’s our job to help you get there.

Popularity: 25% [?]

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
   Read More


Comments
wconway on May 19th, 2008 at 11:08 am #

Mike, I completely agree with your analysis and especially “Why is the cost so high?” You hit it on the head.

As I’ve preached over and over, there are two realities of PCI: your costs of card acceptance will go up, and you will change the way your do business. It is this last part that we often forget. PCI is not about which firewall or who needs background checks. It is about re-thinking your business processes and minimizing scope (ruthlessly).

Asking the right questions and re-thinking processes can go a long way to minimizing scope. PCI can be a great opportunity to reduce risk to the organization by just asking “why are we doing this the same old way?”

Davi Ottenheimer on May 20th, 2008 at 4:51 pm #

I agree with your point, but I think you are overly broad in your opinion:

“If security people drive the audit they will secure the hell out of a bad business process.”

I think that comment is really directed towards primarily technical people, engineers even, who are asked to make things secure without control of the business. You could say the same thing about someone asked to protect passengers in a car that may or may not drive over a bridge.

There are in fact security people who can understand business, and vice versa, and some are even allowed to drive.

flyingpenguin » Blog Archives » Cost of PCI Compliance on May 20th, 2008 at 5:00 pm #

[...] Dahn has written an interesting log on the Cost of PCI compliance I think the more interesting question is, “Why is the cost of compliance so high?” The answer [...]

Bob Ray on May 20th, 2008 at 7:18 pm #

Mike,
I have to agree - and disagree.
You’re right about the huge variance in that industry estimate - but there is still value to be found… $2B might be a big, scary number - personally, I think that’s optimistic - but what do we see in the losses attributed to breaches, information lost & reputational damage across the industry? Given the opportunity, TJX would gladly write a check for $2B just to avoid everything they’ve been through. $2B to clean up everyone’s exposures would be an absolute bargain!

You’re dead on in your tactical approach to reducing scope - but what many miss is the business value to just that - and the resulting strategic benefit. Process review & refresh is desperately needed by many organizations - and just that exercise alone will return significant value…to what is typically an organizational blind spot. Almost an afterthought that it will save significant effort and $$ in achieving a safe, secure technology environment in which a business can flourish.

If merchants and everyone else involved were to truly understand that - and then apply that “think globally, act locally” mentality, I think the fear of the cost would be replaced by anticipation of the benefits & rewards. If people - especially those with CxO’s behind their names - start to view PCI compliance as the ‘mandatory risk education & insurance’ that it is, opinions, perspectives & horizons will change.

We’ve all heard it before - but just to keep things in perspective…
If you think education is expensive, try ignorance.

Michael Dahn on May 20th, 2008 at 11:23 pm #

Bob, very well said. I like your idea that “the fear of the cost would be replaced by anticipation of the benefits & rewards” and “If you think education is expensive, try ignorance.”

Companies and processes rarely run as efficiently as they can in all areas. It’s just not worth it to do so. But when it comes to privacy and protecting customer and corporate data it really is more about business process improvement than security, which should be seen as the gears that make a good process work well and reliably.

Davi Ottenheimer on May 30th, 2008 at 10:34 am #

You might want to also check out the US Chamber of Commerce study called the Cost of SOX 404

http://www.uschamber.com/publications/reports/0711soxsurvey.htm

Tim Holman on June 6th, 2008 at 9:03 am #

Being the cynic I am, the cost of PCI is high as a high number of QSAs are promoting expensive security solutions into customers on the back of audits in order to make a quick buck on the side.
For example, one merchant I know was sold a key management system for $100,000 to manage the keys on a single instance of SQL. Why did they buy it? Because the QSA said it would solve their problems.
I think this calls for some delineation in the industry - QSAs shouldn’t be able to sell remediation solutions and also carry out the final audit - there is a complete conflict of interests.
Whilst overall security posture is increasing, there are too many consultancy companies making money on the side whilst the PCI SSC turn a blind eye! :)
Us QSAs are getting a bad name…

Phil Cox on June 6th, 2008 at 9:19 am #

It is my understanding that if the QSA did not propose alternative solutions that would not line their pockets, then they are in breach of their QSA agreement and can, if egregious enough, be dis-qualified from being a QSA. This would take a client reporting them, and likely at least a few instances, but at some point it could happen.

wconway on June 6th, 2008 at 2:58 pm #

When a QSA finishes an assignment, it is my understanding they are to furnish a QA response form that the merchant sends to the PCI SSC. If you don’t get that or if the QSA forgets, you can download it here: https://www.pcisecuritystandards.org/docs/qsa_feedback_form_-_client.doc

I understand the SSC is moving on a QA program for QSAs (if that’s not too many initials…). They can’t do anything unless they hear about it.

Post a comment
Name: 
Email: 
URL: 
Comments: