The real cost of PCI DSS compliance

It's difficult to overestimate the impact PCI DSS has had on information security, not least because of the expense of compliance. As part of's Royal Holloway University of London thesis series, Martin Bradley and Alexander Dent explore the real cost of PCI DSS compliance.

Any company handling credit card data must comply with the Payment Card Industry Data Security Standard (PCI DSS), which sets out in rigid detail how the card information should be stored and managed in order to keep it safe.

The reality of PCI DSS compliance, however, is slightly more malleable. Despite the efforts of the big card brands -- notably Visa and MasterCard -- to push compliance with the standard, compliance progress amongst UK merchants has been generally quite slow, with many still seeing compliance as a distant goal.

One big reason for the slow progress has been the huge costs involved in overhauling systems to make them fit for PCI DSS compliance. But other factors have also been at play, such as a lack of clear guidelines and information.

In a new article, published exclusively on, Payment Card Industry Data Security Standard (PCI DSS) -- What it is and its impact on retail merchants (see .pdf below), Martin Bradley and Alexander Dent detail their own research amongst some of the UK's largest merchants. They assess the real costs of becoming compliant, and the biggest hurdles merchants face along the way.

Among their findings, they report the real cost of PCI DSS compliance: Many organisations have spent more than £5 million on their PCI DSS projects. They also report high levels of dissatisfaction over the manner in which the standard was introduced and a general view that, in its early versions at least, was much more suited to online retailers than those operating "high street" stores.

About the authors:
Martin Bradley has worked in information security for 18 years and is currently security assurance and compliance manager at Marks and Spencer, where he is responsible for the technical solutions required to deliver the PCI DSS compliance initiatives.

Alexander W. Dent is a lecturer in Information Security at RHUL. His research interests are primarily on the theory of provable security in public-key encryption schemes.

This article is based on a thesis written in the Information Security Group at Royal Holloway University of London.It is one of nine that is publishing exclusively in 2010 as part of its close collaboration with RHUL, which is in its third year.

Read more on Regulatory compliance and standard requirements