Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

PCI DSS: is the cure worse than the disease?

PCI compliance is an expensive business, but is it worth it?

Article comments

Complying with the Payment Card Industry Data Security Standard (PCI DSS) is prohibitively expensive, and the cost of compliance bears very little relation to the cost of a breach, according to Dave Birch, director of IT consultancy Consult Hyperion.

Speaking at a Westminster eForum on the future of digital payments, Birch said that, while data driven identity fraud accounts for the overwhelming majority UK fraud, PCI DSS may not be the best solution in the long term.

“The cost of PCI DSS compliance has turned out to be a cure that's worse than the disease,” said Birch. “It's not transparently obvious to me that it makes sense to continue it indefinitely far into the future. I think PCI needs as much of a rethink as the payments security itself does.”

However, Jeremy King, European director of the PCI Security Standards Council defended the standard, claiming that the average cost per record of cardholder data lost in the UK is £79 per record.

If a company suffered a breach of 50,000 records – which is relatively small – it would therefore cost them £4 million. By comparison, the cost of PCI DSS is somewhere between $3 million and $4 million, depending on the size of the company.

King said that PCI DSS is not just about protecting a company's revenues but also their reputation. He pointed to the likes of Sony and Heartland, which suffered significant brand damage following their high-profile data breaches.

“The most important cost to you when you're breached is your brand reputation. The cost of putting your brand back together again is far more significant and far outweighs the cost of the breach,” he said.

But Birch argued back, claiming that the stock prices of these companies were unaffected by the data breaches. He also said that the costs incurred by Sony and Heartland were primarily in the form of fines from regulators and payments processors, rather than as a result of fraud.

“I'm unaware of any accurate supported statistical correlation between those losses and any actual card fraud,” he said.

King said that organisations are increasingly adopting a risk-based approach to PCI DSS, so they can meet the requirements in stages rather than all in one go. This should make the process of compliance a lot simpler.

It will also help organisations prepare for the European Data Protection Directive, which will regulate the processing of personal data within the European Union.

“The Data Protection Directive has some significant challenges and requirements around customer data that are going to make PCI look like a walk in the park,” said King.

“If you have got to protect all of your customer data, that means significantly more work; and if you're then required to notify your information commissioner within 24 hours of a breach, that's going to be a challenge; and if the data commissioner can then have the opportunity to fine you 2 percent of your global turnover, then that is not just the card schemes that are giving you fines.”

Kiron Farooki, partner at Bond Pearce law firm, pointed out that some insurance companies are already responding to the European Data Protection Directive by providing “cyber insurance” that will allow businesses and retailers to spread out the cost of insurance over time.

However, Birch maintained that a more cost-effective solution is needed.

“You're never going to get the cost reductions that everybody needs, we have to rethink it, and I think looking at these more identity-centric ways is the way forward,” he said.

“We have to work with a proper identity infrastructure, which isn't something to do with payments or banks, it's a cross-sector thing.”


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *