February 15, 2013, 2:56 PM — Complying with the Payment Card Industry Data Security Standard (PCI DSS) is prohibitively expensive, and the cost of compliance bears very little relation to the cost of a breach, according to Dave Birch, director of IT consultancy Consult Hyperion.
Speaking at a Westminster eForum on the future of digital payments, Birch said that, while data driven identity fraud accounts for the overwhelming majority UK fraud, PCI DSS may not be the best solution in the long term.
"The cost of PCI DSS compliance has turned out to be a cure that's worse than the disease," said Birch. "It's not transparently obvious to me that it makes sense to continue it indefinitely far into the future. I think PCI needs as much of a rethink as the payments security itself does."
However, Jeremy King, European director of the PCI Security Standards Council defended the standard, claiming that the average cost per record of cardholder data lost in the UK is £79 per record.
If a company suffered a breach of 50,000 records - which is relatively small - it would therefore cost them £4 million. By comparison, the cost of PCI DSS is somewhere between $3 million and $4 million, depending on the size of the company.
King said that PCI DSS is not just about protecting a company's revenues but also their reputation. He pointed to the likes of Sony and Heartland, which suffered significant brand damage following their high-profile data breaches.
"The most important cost to you when you're breached is your brand reputation. The cost of putting your brand back together again is far more significant and far outweighs the cost of the breach," he said.
But Birch argued back, claiming that the stock prices of these companies were unaffected by the data breaches. He also said that the costs incurred by Sony and Heartland were primarily in the form of fines from regulators and payments processors, rather than as a result of fraud.
"I'm unaware of any accurate supported statistical correlation between those losses and any actual card fraud," he said.
King said that organisations are increasingly adopting a risk-based approach to PCI DSS, so they can meet the requirements in stages rather than all in one go. This should make the process of compliance a lot simpler.
It will also help organisations prepare for the European Data Protection Directive, which will regulate the processing of personal data within the European Union.