Friday, April 09, 2010

Level 1 Merchants' PCI Costs

Level 1 merchants who do on-site security audits to ensure compliance with the Payment Card Industry Data Security Standards (PCI-DSS) are paying an average of $225,000 each year, and 10 percent of these business are paying $500,000 or more annually, according to a new study by the Ponemon Institute. In spite of that, 2% of them fail these audits.

The study surveyed 155 Qualified Security Assessors (QSAs) worldwide who are authorized by the PCI Security Standards Council to conduct annual technical reviews of the largest merchants' networks. With $225,000 to $500,000 spent annually on a PCI audit, "that's a large chunk of change to be doing each and every year," says Dr. Larry Ponemon, the Institute's founder. That cost doesn't include the technology changes and the operating and staff costs associated with the audit, according to the survey. Ponemon notes that sometimes the annual PCI audit "leads to a better security posture, but not always."

Of those merchants surveyed, 41% rely on "compensating controls" under the PCI rules. Failing an audit means working on a remediation plan, and compensating controls may address what might be done outside of strict PCI DSS guidelines to meet technical difficulties.

In the survey, 54% of QSAs acknowledged that their clients feel PCI DSS is too costly, although 20% did say their clients are "satisfied" with compliance costs. More than half (52%) of the QSAs said that merchants are not proactively managing data privacy and security in their environments. The survey suggests that restricting access to cardholder data remains problematic.

Encryption is the most effective technology their clients use, according to 60% of the QSAs surveyed, although the industry currently has no specific requirement for end-to-end encryption of cardholder data.

No comments:

Web Analytics