PCI compliance makes dollars and sense

About the author

From security architecture to data management, Cory Retherford brings 20 years of technical experience to his position as Principal Advisory Solutions Engineer at Spirion providing real world solution implementation strategies within large and complex environments. With a focus in data security, privacy, and operational data security risk reduction, Cory believes in protecting sensitive data because privacy matters to us all.

Protecting sensitive data is a challenging task. Between the complexities of the data itself and the legal implications surrounding an alphabet soup of data privacy regulations, too many organizations struggle to develop protection strategies. Visibility of the data is one of areas that is most difficult to accomplish, yet vital to meet compliance.

For organizations that accept credit card payments, compliance with the Payment Card Industry Data Security Standard (PCI DSS) is a must. “Maintaining payment security is required for all entities that store, process or transmit cardholder data,” the PCI Security Standards Council explained. PCI DSS “set the technical and operational requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.”

The PCI Security Standards demonstrate that data discovery is foundational, core to the assessment for a PCI audit. There are twelve requirements all designed to put protection of consumer PII first. The requirements include a multitude of security controls placed on those devices storing sensitive PCI data.

The cost of non-compliance

PCI compliance continues to be a challenge, only 27.9% of organizations achieving 100% compliance during their interim compliance validation, according to the Verizon 2020 Payment Security Report. Compliance should not be seen as “checkbox” activity but rather an everyday activity to protect sensitive data.

The average cost of a data breach is $3.86 million, according to the IBM and Ponemon Institute Cost of a Data Breach 2020 report. When consumer PII, the very data PCI DSS is designed to protect, is compromised, it will cost a company $150 per record in the breach. Data breaches also result in a loss of reputation and consumer confidence. Consumers don’t like having credit cards replaced regularly because a company failed at protecting sensitive information, and they will take their business elsewhere. According to the Deloitte Global Survey on Reputation Risk, on average 25% of a company’s market value is directly attributable to its reputation, loss of revenue, and the impact of not being able to process payment card transactions.

It’s not just data breaches and reputational loss as result of that cost for failing PCI compliance. Companies not meeting regulations are fined thousands of dollars each month of non-compliance. There are also legal costs to consider during the remediation processes and the inability to process payment card transactions.

PCI compliance comes at a cost. The size and scope of your organization, the overall security posture of the company, and whether or not there is dedicated staff handling PCI compliance will all factor into the cost of setting up and maintaining mechanisms for PCI standards.

Why accurate audits matter

PCI audits can be costly, because they require the company having the right process and tools in place. Audits are time consuming and stressful for your security and data privacy teams, but they are vital to protecting both the company and customers. Knowledge of which devices store and process sensitive data is vital to reducing PCI costs, as well reducing the potential of breaches because your systems continuously track and “know” the location of sensitive data. Nothing is left unknown.
Accuracy matters when it comes to being able to identify where your PCI data really lives. Not being able to accurately discovery PCI data will impact your overall assessment and add costs to the process. Organizations must have the ability to demonstrate to the auditors (QSA) that data was not located on devices outside the scope of PCI. A PCI audit must validate that the perceived scope of compliance is in fact accurately defined and documented.

Organizations shouldn’t view a PCI audit as a point-in-time process, but as an ongoing exercise that demonstrates governance of cardholder data throughout the entirety of the data lifecycle.

Regulations like PCI DSS are designed to protect data privacy, which in turn goes a long way in preventing data breaches. Maintaining awareness of where PCI data resides is crucial to maintaining good consumer privacy practices. While you need to invest upfront with the right data management systems and whatever security tools are needed for compliance, being PCI compliant will pay off in the long run.