Other
Industry View: Calculating the True Cost of PCI Non-Compliance
Symark’s Ellen Libenson does the math.
By Ellen Libenson
January 07, 2008
—
CSO
—
Despite being given a deadline of September 30, 2007 to comply with the Payment Card Industry Data Security Standard (PCI DSS), many Level 1 merchants—those that process more than 6 million transactions per year—still do not meet the necessary requirements. In fact, Visa reports that as much as 40 percent of its Level 1 merchants fall into this category.
While monthly fines for non-compliance—ranging from $5,000 to $25,000—may not seem too steep for these large merchants, there are far greater costs associated with non-compliance beyond these monetary fines levied by the PCI.
It is critical for IT administrators and C-level executives to consider all of the costs associated with PCI compliance and non-compliance, especially given the looming December 31, 2007 deadline for Level 2 merchants to demonstrate compliance. Some are palpable, of course, but others may not be as evident, and it is also important to understand the far-reaching benefits of compliance.
The Costs of Compliance…and Non-Compliance
Calculating the costs of PCI DSS compliance can be difficult. It is not simply a matter of achieving compliance and then maintaining it because PCI compliance is a moving target. For example, it is moving in response to consumer pressure to make more of the PCI industry standard into law so it becomes a regulatory mandate.
What’s more, the technologies and vectors that attackers use to perpetrate their misdoings are becoming more sophisticated, so new countermeasures will have to be purchased and implemented to address these emerging threats. This makes the ongoing cost of compliance difficult to measure, and can deter organizations from investing the proper resources necessary to meet the standards laid out in PCI DSS. However, the ongoing costs of non-compliance can be far greater.
In addition to the monthly fines, one of the biggest costs on non-compliance is lost business if an acquirer refuses to process card payments for a merchant after a data breach occurs. Many of these attacks involve the theft of magnetic stripe data stored on a merchant’s system. This is often done without the retailer’s knowledge, as the information is stored by application software that the retailer cannot decipher. However, storing magnetic stripe data is a violation of the PCI standard. Card companies will likely fine merchants for this non-compliance, and they may also halt processing payments, resulting in potentially huge amounts of lost revenue.
When a data breach occurs, there is also significant damage done to a merchant’s stock price, reputati
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
Discover whether hosting is your smartest choice for enterprise messaging.
To host or not to host? Thats the question for many CIOs as the volume and complexity of enterprise messaging continues to skyrocket.
- Identity-Aware Networks: Bringing Efficiency to Compliance
- Building a Strategic, Comprehensive Solution for PCI-DSS Compliance
- Enterprise Management Associates: Taking the Botnet Threat Seriously
- Fact or Fiction Security Survival Guide: Clearing up Misconceptions, Myths and Mistruths about Security
- A Guide to Providing Proactive Protection to Consumer Online Transactions
- Get on the right path with best practices in business communications.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
Business Continuity & Risk Management Forum
-
July 15 - 16, 2008New York MarriottRegister now »
at the Brooklyn Bridge
Reference priority code ONLINE and save $300 off the full registration price — attend the program for $395
