March 01, 2010, 11:52 AM — Merchants that undergo network audits to ensure compliance with the Payment Card Industry Data Security Standards are paying an average of $225,000 each year -- and 10% of these business are paying $500,000 or more annually, according to a new study. In spite of that, 2% of them fail these audits.
The study, conducted by The Ponemon Institute under sponsorship of Thales, surveyed 155 qualified security assessors (QSA) worldwide who are authorized by the PCI Security Standards Council to conduct these annual technical reviews of the largest merchants' networks. The QSAs were asked to share information about how much their customers are spending on annual PCI audits, which are required by banks and card associations, such as Visa or MasterCard, to be allowed to process payment cards.
With $225,000 to $500,000 spent annually on a PCI audit, "that's a large chunk of change to be doing each and every year," says Dr. Larry Ponemon, the Institute's founder. That cost doesn't include the technology changes and the operating and staff costs associated with the audit, according to the survey. Ponemon notes that sometimes the annual PCI audit "leads to a better security posture, but not always."
Clearly, a PCI audit is no silver bullet against hackers stealing payment-card data directly from merchant and card-processing networks. Some of the largest known victims of these types of crime, such as Heartland Payment Systems, TJX and Hannaford Brothers, are all large enough to undergo the annual audits.
The report also notes that 2% of businesses assessed by the QSAs fail the audit, and 41% rely on what are called "compensating controls" under the PCI rules. Kevin Bocek, director of product marketing at Thales, says failing an audit means working on a remediation plan. And compensating controls may address what might be done outside of strict PCI DSS guidelines to meet technical difficulties. "You and your QSA will decide what's appropriate," Bocek says.
Another interesting finding Bocek notes is that oftentimes the IT security department is in charge of the overall security environment, but it's the business managers in the organization who have the budgets for these QSA assessments.