The first question that any organization will ask about PCI compliance is 'What does it cost?' (The second question typically being 'What happens if we don't get ourselves compliant?' but we can come back to this question later).
The issue of cost is a good question to ask up front but as you may have already discovered, one that is very difficult to get a straight (and reliable!) answer to.
In fact an article appeared recently in Secure Computing Magazine based on some research a vendor and an independent research organization had carried out. The premise of the article was that the 'average' cost of compliance was typically £4M more expensive than not being compliant, based on the average cost of achieving compliance being £2M, whilst the cost of non-compliance was £6M.
You could suggest that, for product vendors within the marketplace, this is great news and that most will have a vested interest in making things seem more complicated and consequently more expensive than they are. Then there is also the issue of the need to use a Qualified Security Assessor or QSA. A QSA is trained and accredited by the PCI Security Standards Council, so their knowledge is excellent but it comes at a price.
Conversely, there is plenty of free advice available from the PCI Security Standards Council website (and from vendors too), so you can get yourself educated and in control of your organizations PCI compliance program before engaging the services of a QSA.
What is the cost of non compliance with the PCI?
Of course, there is another dimension to the question 'How much does PCI Compliance cost?' You could instead ask 'What happens if we don't get PCI Compliant?'
One approach is to assess how much your brand and reputation is worth? If your business hits the headlines for the wrong reasons due to a breach - and it will be mainstream press now, not just the IT or Retail Industry Press - then customers will be thinking twice before they hand over payment card details to you.
Therefore it isn't just the fines, the cost and hassle of a forensic investigation of your security measures, or even the risk of increased transaction fees and more demanding audit pressure. There are now a growing number of US states bringing in legislation, such as in Nevada where the SB 227 Amendment specifically states a requirement to comply with the PCI-DSS. Similarly in the UK, the Information Commissioners Office will fine any organization that is found to be in breach of the UK Data Protection Act which compels organizations to protect customer personal information.
The bottom line is that if your organization loses customer personal information this is going to result in exactly the wrong kind of publicity. A customer can easily cancel a credit card and get a new number, but if you lose their address and date of birth this is impossible to reset, and they will not thank you for doing so!
What are the benefits of PCI compliance?
Where is the upside? In respect of a PCI Log Management solution, this will not only provide an advanced warning security system but one that can also alert you to impending hardware problem. How much is it worth to know in advance that you need to replace that till hard drive before it actually fails on the Saturday before Christmas!
The PCI DSS also provides a well-thought out and comprehensive off-the-shelf security policy, with a ready-made mature industry and knowledge base to draw upon that can double up to govern personal information too. Other industries are trying to adopt ISO27K but this simply doesn't have the pedigree or maturity of the PCI DSS.
Eduardo Perez is now Chairman of the PCI Security Council. Perez was featured in Secure Computing Magazine making it clear he wanted to dispel the 'wait and see' mindset of many merchants by saying that, despite what you will continue to read, there are simply no magic or even silver bullets for the PCI DSS. The message was clear - Forget about 'buying' an off-the-shelf solution to the PCI DSS.
Merchants are advised that they will need to work at achieving PCI Compliance and as much as you can automate some aspects and buy products for other requirements such as Event Log Management and File Integrity Monitoring, you will always be compelled to adopt all dimensions of best practice in security management. This means removing any complacency about being compliant or cutting corners - the PCI DSS should be a pervasive factor across all functions and departments of any organization using payment card holder data.
Expect tokenization and p2p encryption to be embraced by the PCI security council but don't expect any relaxing of other measures - they want more layers of protection, with more double-checks, safety nets and good old fashioned common sense. For instance, there will always be a need for file integrity monitoring software to ensure encryption applications have not been compromised, coupled with log management software to track any access or changes to systems.
Some advice from our customers, QSA colleagues and us
- Don't let vendors and suppliers or even your QSA tell you what you should do and buy - get educated. There is lots of free advice around, not least from the PCI Security Council themselves.
- don't assume you need to spend sacks of money on products and replacing everything you have - re-organize your network to reduce scope, recycle - use your older firewall to partition your network and reduce scope, use your existing processes and procedures but just formalize and document, and reduce your use of card data where possible, reduce those with access to data
- Look for quick wins - contemporary log management and intelligent audit trail systems can be implemented quickly and even file integrity monitoring, always seen in the past as being expensive and complex are now affordable and automated
- make your own decisions about the risks and potential for theft, then confirm with QSA - don't ask for guidance unless absolutely necessary
No comments:
Post a Comment