The real cost of PCI DSS compliance

It's difficult to overestimate the impact PCI DSS has had on information security, not least because of the expense of compliance. As part of SearchSecurity.co.UK's Royal Holloway University of London thesis series, Martin Bradley and Alexander Dent explore the real cost of PCI DSS compliance.

Any company handling credit card data must comply with the Payment Card Industry Data Security Standard (PCI DSS), which sets out in rigid detail how the card information should be stored and managed in order to keep it safe.

The reality of PCI DSS compliance, however, is slightly more malleable. Despite the efforts of the big card brands -- notably Visa and MasterCard -- to push compliance with the standard, compliance progress amongst UK merchants has been generally quite slow, with many still seeing compliance as a distant goal.

One big reason for the slow progress has been the huge costs involved in overhauling systems to make them fit for PCI DSS compliance. But other factors have also been at play, such as a lack of clear guidelines and information.

In a new article, published exclusively on SearchSecurity.co.UK, Payment Card Industry Data Security Standard (PCI DSS) -- What it is and its impact on retail merchants (see .pdf below), Martin Bradley and Alexander Dent detail their own research amongst some of the UK's largest merchants. They assess the real costs of becoming compliant, and the biggest hurdles merchants face along the way.

Among their findings, they report the real cost of PCI DSS compliance: Many organisations have spent more than £5 million on their PCI DSS projects. They also report high levels of dissatisfaction over the manner in which the standard was introduced and a general view that, in its early versions at least, was much more suited to online retailers than those operating "high street" stores.

About the authors:
Martin Bradley has worked in information security for 18 years and is currently security assurance and compliance manager at Marks and Spencer, where he is responsible for the technical solutions required to deliver the PCI DSS compliance initiatives.

Alexander W. Dent is a lecturer in Information Security at RHUL. His research interests are primarily on the theory of provable security in public-key encryption schemes.

This article is based on a thesis written in the Information Security Group at Royal Holloway University of London.It is one of nine that SearchSecurity.co.UK is publishing exclusively in 2010 as part of its close collaboration with RHUL, which is in its third year.

This was last published in December 2010

Read more on Regulatory compliance and standard requirements

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

  • How do I size a UPS unit?

    Your data center UPS sizing needs are dependent on a variety of factors. Develop configurations and determine the estimated UPS ...

  • How to enhance FTP server security

    If you still use FTP servers in your organization, use IP address whitelists, login restrictions and data encryption -- and just ...

  • 3 ways to approach cloud bursting

    With different cloud bursting techniques and tools from Amazon, Zerto, VMware and Oracle, admins can bolster cloud connections ...

SearchDataManagement

Close