Other
Industry View: Calculating the True Cost of PCI Non-Compliance
Symark’s Ellen Libenson does the math.
By Ellen Libenson
January 07, 2008
—
CSO
—
Despite being given a deadline of September 30, 2007 to comply with the Payment Card Industry Data Security Standard (PCI DSS), many Level 1 merchants—those that process more than 6 million transactions per year—still do not meet the necessary requirements. In fact, Visa reports that as much as 40 percent of its Level 1 merchants fall into this category.
While monthly fines for non-compliance—ranging from $5,000 to $25,000—may not seem too steep for these large merchants, there are far greater costs associated with non-compliance beyond these monetary fines levied by the PCI.
It is critical for IT administrators and C-level executives to consider all of the costs associated with PCI compliance and non-compliance, especially given the looming December 31, 2007 deadline for Level 2 merchants to demonstrate compliance. Some are palpable, of course, but others may not be as evident, and it is also important to understand the far-reaching benefits of compliance.
The Costs of Compliance…and Non-Compliance
Calculating the costs of PCI DSS compliance can be difficult. It is not simply a matter of achieving compliance and then maintaining it because PCI compliance is a moving target. For example, it is moving in response to consumer pressure to make more of the PCI industry standard into law so it becomes a regulatory mandate.
What’s more, the technologies and vectors that attackers use to perpetrate their misdoings are becoming more sophisticated, so new countermeasures will have to be purchased and implemented to address these emerging threats. This makes the ongoing cost of compliance difficult to measure, and can deter organizations from investing the proper resources necessary to meet the standards laid out in PCI DSS. However, the ongoing costs of non-compliance can be far greater.
In addition to the monthly fines, one of the biggest costs on non-compliance is lost business if an acquirer refuses to process card payments for a merchant after a data breach occurs. Many of these attacks involve the theft of magnetic stripe data stored on a merchant’s system. This is often done without the retailer’s knowledge, as the information is stored by application software that the retailer cannot decipher. However, storing magnetic stripe data is a violation of the PCI standard. Card companies will likely fine merchants for this non-compliance, and they may also halt processing payments, resulting in potentially huge amounts of lost revenue.
When a data breach occurs, there is also significant damage done to a merchant’s stock price, reputati
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
- Beyond PCI Checklists: Securing Cardholder Data with Enhanced File Integrity Monitoring
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
- CSO's Guide to Security and Compliance
- Understanding Data Location is Imperative for Data Loss Prevention
- FISMA and FDCC Compliance: Millennium Challenge Corporation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
Digital ID World
-
September 14 - 16, 2009Rio Hotel and CasinoRegister Now »
Las Vegas, Nevada
(ISC)2 members can earn up to 24 CPE Credits!
Reference priority code ONLINE and attend the full conference for the reduced rate of $995!
