THE MAGAZINE

The Rewards of PCI Compliance

By John Wagley

Few small companies are complying with credit card processing best practices as laid out in the Payment Card Industry Data Security Standard (PCI), which could open them to costly litigation down the road.
 
Just 28 percent of small businesses report being PCI compliant, compared to 75 percent of large ones, according to a recent Ponemon Institute study. But actual small company compliance is probably lower, say some analysts. Many small organizations can self-certify, as opposed to bringing in a third-party tester. Many may be just “checking the boxes” without proper work or thought, says John Kindervag, a Forrester Research senior analyst.
 
Cost of compliance is the main impediment, according to the Ponemon study. Compliant companies pay, on average, 35 percent of their IT security budgets on PCI. Complexity ranks as the second factor in noncompliance, says the study.
But not complying may be more costly in the long run because companies that suffer breaches may get hit with lawsuits. To avoid that unhappy ending, IT departments need to show senior executives that compliance is worth funding, both for legal reasons and to further business objectives.
 
For such an approach, analysts recommend ensuring that someone is charged with spearheading PCI. “Sometimes it’s important to give people a stake in business efforts,” says Stephen Walker, a managing director at Colborn Morrison, a Richmond, Virginia-based business strategy and consulting firm. This person could be responsible for drawing up a PCI strategy and for oversight.
 
It’s important to approach upper management with a business-oriented mind-set, Walker says.
 
Security managers should also communicate some of the costs of noncompliance. So far, fines have mainly been levied against large firms, but this will likely change, say some analysts. If a data breach occurs, noncompliance could significantly increase litigation risks.
 
PCI can have marketing benefits, says Walker, appealing to consumers who care about data protection. Compliance could also affect how a company is perceived by other firms. In a potential merger situation, for instance, it could raise a company’s value.
 

For companies without a mature security program, “I always recommend using PCI as a baseline,” Walker says. Though the regulation focuses on financial data, it can also protect other sensitive information such as Social Security numbers, he says. PCI can help companies streamline security and regulatory compliance.

Comments

 

The Magazine — Past Issues

 




Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.