The chapter below, from the book PCI Compliance: Understand and Implement Effective PCI Data Security Standard
Compliance, explains the relationship between PCI compliance requirements and risk management.
Authors Dr. Anton Chuvakin and Branden Williams reveal the impact PCI compliance can have on overall risk management in your organization. They also explain the importance of PCI DSS compliance beyond the fear of being fined.
See sidebar below to listen to an interview with the authors
Chapter 3: Why Is PCI Here?
First, a common question: can one claim that PCI increases the merchant's overall risk? When people ask that question they usually imply that PCI added the risk of loss via noncompliance fi nes and raised fees to the risk of direct losses due to card theft from a merchant's environment (such as reputation damage, cost of new security measures, and monitoring)? The answer is clearly a "no," since before PCI, most of the negative consequences of a card theft, even a massive one, were not falling upon the merchant shoulders but on others such as card-issuing banks. PCI, on the other hand, creates a powerful motivation for protecting the data on the merchant side.
Still, despite that reality about PCI, many CEOs or CFOs are asking the question, "Why would I need to spend the money on PCI?" And, no, the answer is not "Because there are fines" (even though there are fines indeed). The answer is that the list of negative consequences due to neglecting data security and PCI DSS is much longer than fines.
Your company's contract with the acquiring bank probably has a clause in it that any fines from the card brand will be "passed through" to you. With all compliance deadlines passed, the fines could start tomorrow. Visa USA has announced that it will start fining acquirers (which will pass on the costs to the merchant) between $5000 and $25,000 per month if their Level 1 merchants have not shown compliance. In addition, the fines $10,000 per month may already be imposed today for prohibited data storage by a Level 1 or Level 2 merchant.
On top of that, if both noncompliant and compromised, higher fines are imposed as well. However, believe it or not, if compromised, this will be the least of your concerns. Possible civil liabilities will dwarf the fines from the card brands. Some estimates place the cost of compromise at $50 to $250 per stolen account (per stolen, and not per one used for fraud, which will likely be a subset of the whole stolen card pool). It is known that some companies that have been compromised have been forced to close their doors or sold to competition for nominal amount. According to PCI Council study, the per capita cost of a data breach has gone up more than 30 percent in the past year.
Let's use The TJX Companies, which operates stores like TJ Maxx, Marshalls, and so on, as a case study. On January 17, 2007, TJX announced that they were compromised. Because they did not have robust monitoring capabilities such as those mandated by PCI, it took them a very long time to discover the compromise. The first breach actually occurred in July 2005. TJX also announced that more than 90 million credit-card numbers were compromised. In addition to the fines, lost stock price, and direct costs of dealing with the compromise, over 20 separate law suits have already been filed against TJX; some have been converted to class-action status.
Whether you believe your company to be the target or not, the fact is that if you have cardholder data, you are a target because you are someone's "ticket to a better life" via criminal business. You and your organization are simply someone's sheep to be fleeced, and your losses are their gains. Cardholder data is a valuable commodity that is traded and sold illegally worldwide. Organized crime units profit greatly from credit-card fraud, so your company is definitely on their list if you deal with card data. International, federal, and state law enforcement agencies are working hard to bring perpetrators to justice and shut down the infrastructure used to aid in credit-card-related crimes; however, thousands of forum sites, Internet chat channels, and news groups still exist, where the buyers can meet the sellers. Data breaches like the one at TJX are not the work of simple hackers looking for glory; well-run organizations from the Eastern European block and selected Asian countries sponsor such activity and earn a great living from various illegal hacking activities.
The Web site http://datalossdb.org maintains the history of the compromises and impacts in terms of lost card numbers and other records. Since 2005, over 1 billion personal records (a mix of cards, identities, etc.) have been compromised. This includes companies of all sizes and lines of business. If the industry does not get this trend under control, the US Congress will give it a try.
Finally, and few people actually know it, but PCI DSS does mandate a formal risk assessment, not just a list of controls to implement! The Requirement 12.1.2 states that the information security policy must "include an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment."