PCI compliance costs often underestimated, study finds

By Robert Westervelt, News Editor 24 Jul 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Sharon Finney, an information security administrator at Decatur Ga.-based Dekalb Medical Center has been dealing with regulatory compliance issues for years.

When I go to the audit and compliance committee or board of directors … I have to come up with something more than telling them that a regulation or standards say we need to do it. Sharon Finney, information security administrator, Dekalb Medical Center

The teaching hospital implemented content monitoring and data loss prevention software from Denver-based Vericept as part of its Health Insurance Portability and Accountability Act (HIPAA) compliance program in 2004 and now is reviewing its systems to ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS).

New regulations and standards designed to lock down systems containing critical information are constantly coming to the forefront. But financial boards aren't necessarily giving IT pros like Finney a blank check to implement new security technologies.

"When I go to the audit and compliance committee or board of directors … I have to come up with something more than telling them that a regulation or standards say we need to do it," Finney said. "You need a plan and strategy to say here are the items that need to be addressed, here are how they impact us and show what is critical and what is an acceptable level of risk."

Companies that accept credit card transactions, including healthcare institutions are taking a standard approach to PCI DSS. But many are underestimating the costs associated with becoming compliant, according to a recent survey.

Conducted in June by the Boston-based Aberdeen Group, the survey helped highlight the route some companies are taking to become compliant. Aberdeen surveyed 125 organizations and analyzed those that they call best-in-class – firms that had reported PCI compliance, addressed six or more PCI DSS requirements and had no data security breaches in the last year.

The study found that in many cases companies are consistently underestimating the costs associated with compliance, said Derek E. Brink, vice president and research director at Aberdeen. Even the best-in-class organizations are underestimating the costs, he said.

"With respect to PCI compliance, in many cases it cost about 40% more than they estimated," Brink said.

Still, the survey found that the best approach is to start by understanding which systems hold sensitive credit card data and then performing an assessment to discover what data is most at risk.

PCI DSS tips: Understanding PCI DSS compensating controls: Security expert Mike Rothman, compensating controls can help security pros achieve PCI DSS compliance. PCI DSS auditors see lessons in TJX data breach: Following the TJX data breach, several PCI Data Security Standard auditors say the retailer violated basic requirements of the PCI DSS. Visa hopes encouragement improves lagging PCI DSS adoption: With deadlines looming, Visa is launching an education campaign to address the more than 60% of merchants that fail to meet the PCI Data Security Standards. Demystifying encryption for PCI DSS: These days there's no excuse for failing to encrypt sensitive data like credit card information, but the numerous types of cryptography available today can make cryptography implemenations complicated.

Brink said that 63% of best-in-class organizations eliminated systems that stored sensitive authentication data, such as magnetic stripe data, PIN numbers and card validation values. Segmenting networks of systems to isolate credit card data was also cost effective for many companies, Brink said.

"If you cut off systems that don't process cardholder data from those that do, then the PCI DSS requirements only apply those that process the data," Brink said. "You cut off a big bunch of systems and reduce your scope. This was a big distinction between best-in-class and the industry average."

The study found that 68% of those best-in-class organizations used PCI DSS as a guide to improve protection of all sensitive business data, including credit card data. PCI projects typically lasted 12-18 months and began with a data flow diagram to determine which systems contained sensitive PCI data. Second, a risk and vulnerability assessment was undertaken on all system components in the cardholder data environment to determine which areas needed to be addressed.

Survey respondents said technology implementations began with encryption of cardholder data transmissions across open networks, with more than 89% year-over-year performance improvement. Encryption of stored cardholder data also was a priority followed by development secure systems and applications that handle cardholder data.

Experts say data encryption is an area where costs could add up. Software vendors are lining up to do business. Joe Sturonas, chief technology officer of PKWARE, which packages and encrypts sensitive data, said his company is seeing an increase in interest in the financial services industry. Banks, which do business with thousands of merchants are looking for a way to enable end users to encrypt transaction logs and other items that may contain sensitive data, Sturonas said.

Sturonas said that while PKWARE's container approach is unique, it uses the full-blown encryption technology required by PCI DSS.

"Even though you have a secure pipe to send data, the idea is that this data should have interoperability and should be protected once it lands through that pipe on the other side," Sturonas said.

Aberdeen is also projecting a rise in the number of qualified security assessors needed over the next 12 months. Companies are also seeking out scanning vendors, log analysis, auditing and reporting tools and application vulnerability scanners as part of their compliance initiatives.

Mike Rothman, president and principal analyst of Security Incite in Atlanta, said companies should stick to the basics when it comes to compliance rather than buying expensive technology. By developing a layered approach to security, compliance costs could be minimal, he said.

"It seems like there's a whole business around complicating all this stuff," Rothman said. "The reality is if you've got a strong security program and you documented your stuff and you are training your users and protecting the data that needs to be protected then you're going to be compliant."

For Finney of Dekalb Medical Center, who has more than 4,000 users on her network, including three cafeterias and restaurants that accept credit and debit cards, risk assessment is going to be essential to the security program.

"The same tools we put in place for HIPAA also allow us to put in rules for PCI or other standards," Finney said. "Eventually we can choose to address issues with technology or insure against it or choose to accept it as an acceptable risk."

Tags: PCI Data Security Standard,  HIPAA,  Identity Theft and Data Security Breaches,  Data Privacy and Protection,  IT Security Audits,  Enterprise Risk Management: Metrics and Assessments,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard PCI management: The case for Web application firewalls MasterCard increases PCI compliance requirements for some merchants PCI compliance requirement 1: Firewalls PCI compliance requirement 2: Defaults PCI compliance requirement 5: Antivirus PCI compliance requirement 4: Encrypt transmissions PCI compliance requirement 3: Protect data PCI compliance requirement 6: Systems and applications PCI compliance requirement 8: Unique IDs PCI compliance requirement 10: Auditing HIPAA HIPAA compliance: New regulations change the game HIPAA compliance manual: Training, audit and requirement checklist Key elements of a HIPAA compliance checklist Quiz: How to meet HIPAA compliance requirements How to avoid HIPAA Social Security number compliance violations HIPAA changes force healthcare to improve data flow CVS pays $2.25 million HIPAA settlement Is a lack of employee privacy a HIPAA violation? Hacked dental school server compromises 300,000 What's the best strategy to catch up on HIPAA compliance quickly? HIPAA Research Identity Theft and Data Security Breaches How to prevent and build protection against online identity theft Heartland breach highlights PCI limitations FBI investigates coordinated ATM scam Encrypt now to meet new Mass. data protection law Recovery plans essential for preventing data loss disasters Internal auditors and CISOs mitigate similar risks Cybersecurity expert sees PCI DSS problems ahead for retailers PCI is about eliminating data, not securing it, former QSA says Data breach discovery, disclosure outpaces 2007 PCI groups to focus on wireless, pre-authorization changes Identity Theft and Data Security Breaches Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary