NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • CMMC Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • Curated Threat Intelligence
      • Managed Detection and Response (MDR)
      • Sentinel Managed Extended Detection and Response (MXDR)
      • SOC as a Service
      • Splunk Managed Services
      • Tenable Managed Services
      • Vendor Security Assessments
      • Vulnerability Management
      • Zscaler Support Services
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Cybersecurity Technology
    • Security Operations
    • Industry Insights
    • Security Testing
    • Advisory and Planning
    • Application Security
    • Managed Detection and Response
    • Threat Intelligence
    • NuHarbor
    • Managed Services
    • Cyber Talent
October 3, 2017

Reducing Internal Costs of PCI Compliance

Jeffrey Bamberger Jeffrey Bamberger

Some statements I have heard over the years regarding PCI compliance include, but certainly are not limited to:

It takes time away from my “every day” responsibilities.

It restricts my ability to conduct business the way I want.

It’s a hindrance to facilitate the completion of projects on a timely basis.

However you feel about it, PCI compliance is an inevitability for your organization to remain viable in the long-term. The above statements relate to internal costs, which come up in many of our project meetings. While it is smart business practice to contain internal costs, it would be neglectful to do so without some big picture thinking.

The average cost of a data breach ranges between $100 per record to several times that. Multiply that by millions of records, and the ongoing costs associated with compliance suddenly seem far less than a data breach scenario. Your organization should strive to contain internal costs while maintaining PCI compliance.

Examples of PCI compliance-related internal costs are:

Developing, supporting, and monitoring your Cardholder Data Environment (CDE) systems.

Time necessary to support audits/regulatory reviews.

Effort to recruit and train skilled personnel.

Often, smart, smaller, tactical investments in these areas can lead to significant savings without risking a degradation in the overall control structure. The following are just a few examples of cost containment methodologies:

Adjusting the Scope of Your CDE

The PCI Data Security Standard applies to all systems that store, process, or transmit cardholder data. Limiting the number of systems that touch cardholder data can have a direct impact on scope, and thus, cost. Reducing scope may also reduce the time required to audit your CDE.

Methods for scope reduction can include:

Minimization of internal infrastructure.

Outsourcing functionality or services to PCI compliant service providers.

Centralization of data (to limit the number of segments containing cardholder data).

Encryption/tokenization of data (to obfuscate or render data unreadable).

Utilization of any of these techniques can also help you avoid scope creep.

Building Awareness

Security awareness is critical to ensuring your workforce doesn’t inadvertently create a costly situation. Employees need to be coached to ensure they understand that every decision can affect the organization. Security awareness should extend beyond initial employee orientation time. To have a cost-saving effect, programs must be frequent and regular. Make activities fun and memorable to increase effectiveness. Examples include:

Using games to enliven individual training sessions

Utilizing dynamic guest speakers

Offering employees incentives to recommend organizational changes that improve security

Awareness programs will not guarantee that your staff will never knowingly take actions resulting in a breach. Awareness, however, will reduce the likelihood of a breach. Awareness also gives employees agency in their decision-making processes.

Continuous Compliance

Compliance is no longer a once-per-year activity. Every decision made has a potential effect on the organization, and decisions happen year-round. For many organizations, staffing levels are often not adequate for assessing all expected controls at one time. By breaking this into smaller bites throughout the year, your organization will build awareness, stay agile, and react more quickly. This tactical strategy can have many net positive effects and reduce costs over a longer period.

Also in the realm of continuous compliance, I regularly peruse the list of reported* breaches on the Privacy Rights Clearinghouse (PRC) web-site. While it frustrates me to see the daily entries, there is a benefit to this behavior of mine. Periodic review allows me to stay on top of patterns and identify new or atypical threat vectors. Consider creating a similar habit of reviewing the PRC.

Partner this behavior with the business-smart strategies I’ve offered to you herein, and your organization could begin to realize cost savings. Smart, tactical decisions will make compliance easier now. These decisions are also likely to save your organization from unnecessary expenditures while protecting your reputation. Whatever tactics you choose to deploy, you must stay vigilant. If your organizational structure has foundations in abhorring compliance, you will need time to become a well-oiled machine focused on continuous compliance.

I hope to meet you in the future. Please don’t let our first “visit” be one due to inclusion in the reported breach database.

* Note that I have specifically utilized the word “reported” with respect to breaches. How many have occurred that are not reported when identified by an organization (please don’t ever do this)? Worse, how many are never identified in the first place?

Learn more about our PCI compliance services here.

Included Topics

  • Compliance
Jeffrey Bamberger
Jeffrey Bamberger

Jeffrey Bamberger is the Principal Advisor for Information Assurance at NuHarbor Security. Jeff brings over 30 years in cybersecurity and information technology experience, focusing on consulting, risk management, compliance, and audit. Jeff's broad consulting experiences include cyber risk/threat management and assessment, information security control assessments, payment card industry (PCI) compliance, social engineering and physical security, privacy, vendor management, and Sarbanes-Oxley compliance. A graduate of the F.W. Olin Graduate School of Business at Babson College, he holds a Master of Business Administration degree. Jeff also has a Bachelor of Arts in Computer Science and Religion from Colgate University. He is a current member of the New England Chapter of the Information Systems Audit and Control Association and holds both a CISA and CISM certification.

Related Posts

Compliance 2 min read
4 Questions to Determine Which PCI DSS Self-Assessment Questionnaire (SAQ) to Complete Read More
Advisory and Planning 5 min read
Your Guide to Building a Cyber Resilience Strategy
Read More
Compliance 4 min read
6 Changes Coming in PCI DSS 3.0 That You Should Plan For Read More

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.