Other
Industry View: Calculating the True Cost of PCI Non-Compliance
Symark’s Ellen Libenson does the math.
By Ellen Libenson
on and customer loyalty. Consumer surveys reveal that many people lose respect and/or trust for businesses after customers’ personal information was misplaced or stolen from those companies’ systems. Logically, most consumers would greatly prefer to conduct business with a company that has never experienced a data breach.
While it is difficult to pinpoint the exact monetary cost of damaged reputation and lost customer loyalty as it relates directly to security, the now-infamous TJX breach of cardholder data in January 2007 may have changed the trade-off between the cost of implementing PCI DSS and the potential cost of not doing so—especially for larger merchants. Now that the extent of the TJX breach is known, research firms estimate that the total cost could exceed $500 million. Others predict that it could approach $1 billion over time.
It is clear that the business logic for postponing PCI compliance is quickly evaporating. While the TJX fiasco highlights the potentially astronomical costs of non-compliance, it is important to realize the benefits of compliance beyond avoiding becoming the next merchant to make front-page news.
Benefits of PCI DSS Compliance
PCI DSS compliance delivers benefits felt throughout the organization. Some of the more noticeable of which include Lower likelihood of a breach and faster recovery if there is a breach; Reduced risk of financial loss through fines, lost business, lawsuits and other results of a breach; Enhanced industry standing and customer reputation as a leader willing to commit resource to secure cardholder data; and Improved operational and financial results. However, there are a number of less-obvious benefits that executives should consider as well.
For example, implementing technologies and initiatives to comply with PCI DSS facilitated a shorter time to be in compliance with other regulations and standards. On average, organizations today must achieve compliance with two or three mandates. PCI DSS is so granular in securing data, so focused on the workflow of cardholder data as received and processed by industry members and so general in its best-practices approach to data security, that once an organization achieves PCI DSS compliance, most of the work has been done to demonstrate compliance with regulations—including SOX, HIPAA, U.S. federal security standards and others—designed to protect other data workflows.
Another benefit to PCI compliance involves risk reduction and risk management. The TJX breach makes it clear that merchants, Internet vendors and service providers must view PCI DSS compliance as a tool for controlling the risk of substantial financial loss.&
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
The Surest Path to Effective and Efficient Compliance
In this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.
- Using Likewise to Comply with PCI Data Security Standard
- Unlock the Power of Device ID to Combat Online Fraud and Abuse
- Network Security Services: Outsourcing considerations for maximizing network protection
- How Are Open Source Development Communities Embracing Security Best Practices?
- End-Users - Your Weakest Security Link
- Practical Role Management: Real-World Approaches to a Complex Problem
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Executive Seminar on Application Security
-
January 29, 2009New York, New YorkRegister now »
-
February 25, 2009San Francisco, CaliforniaRegister now »
(ISC)2 members can earn up to 6 CPE Credits
Reference priority code ONLINE and attend this program as our guest — that's a $295 savings!
