While talking with Forrester analyst John Kindervag about IT security trends this week, we discussed the issue of educating companies about PCI DSS compliance. Of course, compliance is part of what PCIS helps companies achieve through a range of boxed services, so it came up naturally enough in the conversation. And as some of our readers may know, Kindervag is an expert on PCI DSS, so it was a great opportunity for us to learn as well.

PCI DSS stands for Payment Card Industry Data Security Standard. It is a worldwide security standard enforced by the founding members of the Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to ensure vendors and merchants protect your private credit card information when they are processing transactions. Even though the PCI standard has been around for some time, many companies have still not even heard of PCI, much less taken steps to improve their security measures.

Kindervag wrote an excellent analysis a while back entitled PCI Data Security Standard compliance: Setting the record straight. It’s an excellent overview of some issues in PCI DSS that I’d like to follow up in a series of posts here.

Myth #1: PCI Compliance is hard
One objection companies have to undertaking PCI compliance is because it’s hard. As Kindervag points out, what they usually mean is they think that it’s expensive. According to a Forrester study, The State of PCI Compliance, American and European companies seeking to meet PCI standards typically spend 1 to 5 per cent of their IT budget on the task.

While that can be significant in terms of total dollar outlay, it seems entirely reasonable when looked at as insurance against a security breach where records are exploited, that could cost between $9 million and $14 million even before the credit card companies get around to assessing fines for PCI non-compliance. Check out Tech//404’s handy Data Loss Calculator, which lets organizations get more accurate numbers on what to expect from a data security breach).

For companies that are already undertaking good practices for security, additional costs for PCI compliance may be negligible. The benefits of good security practices were clear even before PCI was developed and for organizations that have already done these things, PCI compliance is not hard at all. It pays to be proactive.

Vaclav Vincalek
Pacific Coast Informer Blog