Feb 19 2009
When I was a security manager, I loved PCI because it gave me a really good reason to spend the money on the technologies I knew needed to be in place. When faced by management that was notoriously stingy …er… thrifty, I could point to the PCI requirements and tell them we needed the technology to be compliant. Not that this always worked when there are open source alternatives, but it did make the initial conversations less about “why do we need this?” and more about “what’s the cheapest way to do this?”, an improvement, if not much of one.
I’ve got two articles to point to today about the cost of PCI. And believe me, the cost can be considerable, especially for smaller companies who have to put in the same types of safeguards as a larger company to become compliant.
- What are PCI “Best” practices: Saving Money or Improving Security? – How do you compare ‘Cost-Effective Compliance’ to ‘Compliance Driven Security’? I have to say I’ve used Compliance Driven Security to get what I wanted in the past because the companies I’d worked for always felt that security was a bothersome task they tacked on to the end of everything. As a PCI assessor, I see both types of efforts, but it’s usually the companies that have the foresight to use a Cost-Effective Complaince philosophy that end up being the more secure at the end of their compliance efforts.
- Cost of PCI Compliance – If you want to give your CFO a little bit of sticker shock, ElementPS has pulled some numbers from a 2008 Gartner report showing how much merchants spent on becoming compliant. Knowing a few former Gartner analysts, I’m a little skeptical of the accuracy of the numbers, but they’re a good starting point for the conversation with the CFO. “Gartner says the average cost for PCI compliance is $X, but I only want to spend $Y. I’m trying to save us money.” It might even work.
Back to working on some of my own PCI projects. Or other people’s PCI projects, depending on how you want to look at it.