PCI Compliance
Payment Card Industry(PCI) compliance is vastly underestimated—but maybe not as understated as the tangible and intangible costs of a data breach. Every merchant that accepts payment cards has a cardholder data environment that comes under the purview of the PCI DSS. It’s possible to limit—and even shrink—the scope of the CDE in order to reduce or minimize the merchant’s PCI burden.
PCI DSS compliance includes a long list of requirements and is a significant responsibility for businesses of all sizes. The security requirements cost the largest merchants (Level 1), on average, $2.7 million, according to the analyst firm Gartner Inc. Even small merchants (Level 4) might have to spend several thousand dollars on the initial security assessment and new technology and security measures. What's more, maintaining PCI compliance is a continuous process that requires constant vigilance and incurs ongoing costs. The penalties for non-compliance can be severe, including the merchant's loss of the ability to accept credit card payments and being audited and/or fined.
Still, the relentless drive to protect sensitive cardholder data is vital. Losses stemming from data theft are on the rise. According to the Ponemon Institute, the average cost of coping with a data breach in 2008 rose to $6.6 million—a 40 percent increase since 2006. Moreover, the threats are evolving as organized thieves use ever-more-sophisticated techniques to hack into more merchants' systems to steal sensitive data. All parties involved in processing card transactions have an obligation to continually improve their data security techniques.
The challenge for merchants is finding and implementing a solution or set of solutions that adequately protects sensitive cardholder data at rest and in motion that meets the requirements of PCI DSS and that doesn't slow or impair business processes or decrease profits.
