Merchants that undergo network audits to ensure compliance with the Payment Card Industry Data Security Standards are paying an average of $225,000 each year.
Merchants that undergo network audits to ensure compliance with the Payment Card Industry Data Security Standards are paying an average of $225,000 each year -- and 10% of these business are paying $500,000 or more annually, according to a new study. In spite of that, 2% of them fail these audits.
The study, conducted by The Ponemon Institute under sponsorship of Thales, surveyed 155 qualified security assessors (QSA) worldwide who are authorized by the PCI Security Standards Council to conduct these annual technical reviews of the largest merchants' networks. The QSAs were asked to share information about how much their customers are spending on annual PCI audits, which are required by banks and card associations, such as Visa or MasterCard, to be allowed to process payment cards.
With $225,000 to $500,000 spent annually on a PCI audit, "that's a large chunk of change to be doing each and every year," says Dr. Larry Ponemon, the Institute's founder. That cost doesn't include the technology changes and the operating and staff costs associated with the audit, according to the survey. Ponemon notes that sometimes the annual PCI audit "leads to a better security posture, but not always."
Clearly, a PCI audit is no silver bullet against hackers stealing payment-card data directly from merchant and card-processing networks. Some of the largest known victims of these types of crime, such as Heartland Payment Systems, TJX and Hannaford Brothers, are all large enough to undergo the annual audits.
The report also notes that 2% of businesses assessed by the QSAs fail the audit, and 41% rely on what are called "compensating controls" under the PCI rules. Kevin Bocek, director of product marketing at Thales, says failing an audit means working on a remediation plan. And compensating controls may address what might be done outside of strict PCI DSS guidelines to meet technical difficulties. "You and your QSA will decide what's appropriate," Bocek says.
Another interesting finding Bocek notes is that oftentimes the IT security department is in charge of the overall security environment, but it's the business managers in the organization who have the budgets for these QSA assessments.
In the survey, 54% of QSAs acknowledged that their clients feel PCI DSS is too costly, although 20% did say their clients are "satisfied" with compliance costs. More than half (52%) of the QSAs said that merchants are not proactively managing data privacy and security in their environments. The survey suggests that restricting access to cardholder data remains problematic.
Encryption is the most effective technology their clients use, according to 60% of the QSAs surveyed, although the industry currently has no specific requirement for end-to-end encryption of cardholder data. However, Heartland Payment Systems is leading the charge on that front in its business environment, and the PCI Security Standards Council is also mulling new guidelines for end-to-end encryption.