Ask the Expert: What is the importance of PCI DSS compliance for enterprises?

Senior Security Consultant at Nettitude Ben Rothke talks the importance of PCI DSS compliance in a world being ever-driven by regulation and policy

This week’s Ask the Expert is answered by Ben Rothke CISSP, PCI QSA, Senior Security Consultant at Nettitude.

Ask the Expert: What is the importance of PCI DSS compliance for enterprises?

For enterprises that rely on credit cards – PCI DSS compliance is critical. In fact, if they can’t accept credit cards, they might as well turn off the lights and send everyone home.

For Internet businesses, the inability to accept credit cards means that they most likely will have to go out of business. While they still can accept Bitcoin, PayPal and money transfer solutions such as Western Union, cutting off credit card transactions cuts off their main revenue lifeblood.

For brick and mortar businesses, lack of credit card acceptance means a slower death blow. Especially as we are moving to a cashless economy.

Besides being a requirement for any entity that stores, processes or transmits cardholder data, PCI compliance can also be used to negotiate lower rates for cyber security insurance. Firms that are PCI compliant are able to demonstrate that they have a good set of information security controls in place, which makes them more attractive to cyber security insurance underwriters.

Also, in the event of a legal action, PCI compliance can conceivably be used to reduce potential legal liability. When a jury hears that a merchant was PCI compliant, any jury action could likely be reduced, had the jury heard that they were derelict and non-compliant.

But more importantly, non-compliance with PCI will put a merchant at higher risk for credit card theft, and that is where things can get very expensive. Dealing with a breach that results in the compromise of large amounts of credit card data is an extremely expensive exercise. The cost of each card breaches can end up costing hundreds of dollars each. You do the math, and you can see that PCI compliance also makes business sense.

Finally, above and beyond PCI, the need to secure consumer data (including credit card data) is being seen now as a corporate duty. Enterprises are being trusted by their customers to secure that data. In the event they don’t meet their duties, that trust will be eroded, which in the end is quite damaging to their reputation and bottom line.

Also, the prescriptive nature of PCI makes it a very useful template in which to build or expand an information security program. With the exception of disaster recovery, the 12 PCI DSS requirements cover all of the core areas around data security. Once a PCI compliance program has been implemented, it can be used as a framework for other initiatives such as ISO 27001, HIPAA, Sarbanes-Oxley and the like. Using PCI as an overall security framework provides increased security, easier compliance, in addition to cost savings and more.

Finally, PCI compliance costs significantly less than a security compromise. Think of it this way: PCI compliance doesn’t cost, it pays.