Some statements I have heard over the years regarding PCI compliance include, but certainly are not limited to:
It takes time away from my “every day” responsibilities.
It restricts my ability to conduct business the way I want.
It’s a hindrance to facilitate the completion of projects on a timely basis.
However you feel about it, PCI compliance is an inevitability for your organization to remain viable in the long-term. The above statements relate to internal costs, which come up in many of our project meetings. While it is smart business practice to contain internal costs, it would be neglectful to do so without some big picture thinking.
The average cost of a data breach ranges between $100 per record to several times that. Multiply that by millions of records, and the ongoing costs associated with compliance suddenly seem far less than a data breach scenario. Your organization should strive to contain internal costs while maintaining PCI compliance.
Examples of PCI compliance-related internal costs are:
Developing, supporting, and monitoring your Cardholder Data Environment (CDE) systems.
Time necessary to support audits/regulatory reviews.
Effort to recruit and train skilled personnel.
Often, smart, smaller, tactical investments in these areas can lead to significant savings without risking a degradation in the overall control structure. The following are just a few examples of cost containment methodologies:
Adjusting the Scope of Your CDE
The PCI Data Security Standard applies to all systems that store, process, or transmit cardholder data. Limiting the number of systems that touch cardholder data can have a direct impact on scope, and thus, cost. Reducing scope may also reduce the time required to audit your CDE.
Methods for scope reduction can include:
Minimization of internal infrastructure.
Outsourcing functionality or services to PCI compliant service providers.
Centralization of data (to limit the number of segments containing cardholder data).
Encryption/tokenization of data (to obfuscate or render data unreadable).
Utilization of any of these techniques can also help you avoid scope creep.
Security awareness is critical to ensuring your workforce doesn’t inadvertently create a costly situation. Employees need to be coached to ensure they understand that every decision can affect the organization. Security awareness should extend beyond initial employee orientation time. To have a cost-saving effect, programs must be frequent and regular. Make activities fun and memorable to increase effectiveness. Examples include:
Using games to enliven individual training sessions
Utilizing dynamic guest speakers
Offering employees incentives to recommend organizational changes that improve security
Awareness programs will not guarantee that your staff will never knowingly take actions resulting in a breach. Awareness, however, will reduce the likelihood of a breach. Awareness also gives employees agency in their decision-making processes.
Compliance is no longer a once-per-year activity. Every decision made has a potential effect on the organization, and decisions happen year-round. For many organizations, staffing levels are often not adequate for assessing all expected controls at one time. By breaking this into smaller bites throughout the year, your organization will build awareness, stay agile, and react more quickly. This tactical strategy can have many net positive effects and reduce costs over a longer period.
Also in the realm of continuous compliance, I regularly peruse the list of reported* breaches on the Privacy Rights Clearinghouse (PRC) web-site. While it frustrates me to see the daily entries, there is a benefit to this behavior of mine. Periodic review allows me to stay on top of patterns and identify new or atypical threat vectors. Consider creating a similar habit of reviewing the PRC.
Partner this behavior with the business-smart strategies I’ve offered to you herein, and your organization could begin to realize cost savings. Smart, tactical decisions will make compliance easier now. These decisions are also likely to save your organization from unnecessary expenditures while protecting your reputation. Whatever tactics you choose to deploy, you must stay vigilant. If your organizational structure has foundations in abhorring compliance, you will need time to become a well-oiled machine focused on continuous compliance.
I hope to meet you in the future. Please don’t let our first “visit” be one due to inclusion in the reported breach database.
* Note that I have specifically utilized the word “reported” with respect to breaches. How many have occurred that are not reported when identified by an organization (please don’t ever do this)? Worse, how many are never identified in the first place?
Want to know more?
Follow us on Social Media for more information:
by Jeff Bamberger
Senior Information Assurance Associate
Jeff is a Senior Information Assurance Analyst. He works with clients on compliance and risk management and has over 20 years of field experience.