PCI DSS: is the cure worse than the disease?

PCI compliance is an expensive business, but is it worth it?

Complying with the Payment Card Industry Data Security Standard (PCI DSS) is prohibitively expensive, and the cost of compliance bears very little relation to the cost of a breach, according to Dave Birch, director of IT consultancy Consult Hyperion.

Speaking at a Westminster eForum on the future of digital payments, Birch said that, while data driven identity fraud accounts for the overwhelming majority UK fraud, PCI DSS may not be the best solution in the long term.

"The cost of PCI DSS compliance has turned out to be a cure that's worse than the disease," said Birch. "It's not transparently obvious to me that it makes sense to continue it indefinitely far into the future. I think PCI needs as much of a rethink as the payments security itself does."

However, Jeremy King, European director of the PCI Security Standards Council defended the standard, claiming that the average cost per record of cardholder data lost in the UK is £79 per record.

If a company suffered a breach of 50,000 records - which is relatively small - it would therefore cost them £4 million. By comparison, the cost of PCI DSS is somewhere between $3 million and $4 million, depending on the size of the company.

King said that PCI DSS is not just about protecting a company's revenues but also their reputation. He pointed to the likes of Sony and Heartland, which suffered significant brand damage following their high-profile data breaches.

"The most important cost to you when you're breached is your brand reputation. The cost of putting your brand back together again is far more significant and far outweighs the cost of the breach," he said.

But Birch argued back, claiming that the stock prices of these companies were unaffected by the data breaches. He also said that the costs incurred by Sony and Heartland were primarily in the form of fines from regulators and payments processors, rather than as a result of fraud.

"I'm unaware of any accurate supported statistical correlation between those losses and any actual card fraud," he said.

King said that organisations are increasingly adopting a risk-based approach to PCI DSS, so they can meet the requirements in stages rather than all in one go. This should make the process of compliance a lot simpler.

It will also help organisations prepare for the European Data Protection Directive, which will regulate the processing of personal data within the European Union.

"The Data Protection Directive has some significant challenges and requirements around customer data that are going to make PCI look like a walk in the park," said King.

"If you have got to protect all of your customer data, that means significantly more work; and if you're then required to notify your information commissioner within 24 hours of a breach, that's going to be a challenge; and if the data commissioner can then have the opportunity to fine you 2 percent of your global turnover, then that is not just the card schemes that are giving you fines."

Kiron Farooki, partner at Bond Pearce law firm, pointed out that some insurance companies are already responding to the European Data Protection Directive by providing "cyber insurance" that will allow businesses and retailers to spread out the cost of insurance over time.

However, Birch maintained that a more cost-effective solution is needed.

"You're never going to get the cost reductions that everybody needs, we have to rethink it, and I think looking at these more identity-centric ways is the way forward," he said.

"We have to work with a proper identity infrastructure, which isn't something to do with payments or banks, it's a cross-sector thing."

Join the CSO newsletter!

Error: Please check your email address.

Tags securityPCI Security Standards Council

More about Sony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sophie Curtis

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place