The Payment Card Industry Data Security Standards (or PCI DSS) provide comprehensive security guidelines for merchants who process, store, or transmit credit card data. Noncompliance with this industry-created, industry-maintained regulation can lead to fines or even the loss of credit card processing capabilities.
For many merchants, the real costs stem from getting in compliance – the time and money spent making sure that you have the right security infrastructure in place, that your systems meet all the necessary requirements, and that you have the documentation to demonstrate your efforts. Those costs can differ dramatically, depending on a merchant’s size and circumstances.
Three Key Ways to Reduce PCI Compliance Cost
1. Explore opportunities for segmentation
The PCI DSS applies to all of your systems that handle credit card information. But most merchants may have many systems that never touch card data: building management systems, for example. If these other systems are properly walled-off (or “segmented”) from the payments-handling systems, they can be free from the PCI compliance regulations. For many merchants, segmentation can help limit the scope of PCI security measures and expenditures. A word of warning, though. Sometimes, it just makes sense for your payment processes and other systems to coexist – if you have a smaller business with a limited number of computers, for example. Careful case-by-case evaluation is the best way to determine whether segmentation makes sense for you.
2. Work with security partners
For large-scale merchants with complex systems, the cost of compliance can be high simply because of the scope of their operation. These medium-to-large businesses are often well-served by transferring some of the security responsibilities to a third-party firm. For example, a managed security solution from a security provider can help facilitate constant monitoring and rapid response to network intrusions for less than it would cost to achieve these same goals using highly-compensated internal resources. In the course of getting a Report on Compliance (or RoC) to demonstrate PCI compliance to an acquiring bank, many businesses will have already worked with a Qualified Security Assessor.
A Qualified Security Assessor is a third-party security organization like LBMC that has been vetted and certified as third-party auditors by the PCI Security Standards Council. What many businesses don’t know is that a QSA – which may already be familiar with your security operations and needs – is allowed to provide additional security services as well, such as penetration testing and managed security solutions. A third-party organization can’t take on 100% of your PCI responsibility. You still have to verify and be able to demonstrate compliance. But you can leverage their expertise to implement more cost-effective, customized solutions and reduce your burden.
3. Compensating controls
While larger organizations may have to deal with a larger system scope, smaller organizations face their own challenges. Often, small businesses have less money to use on security solutions. Accordingly, the PCI DSS includes a specification that allows “compensating controls” to be used in place of the standard rules (also known as “controls”). This specification allows you to look at what a given control is trying to accomplish. Is it protecting card data? Core systems?
The “compensating control” specification allows you to implement a different solution to achieve the same objective as the original control. Often, these compensating controls represent cheaper or less invasive alternatives. There is no universal rule or situation when compensating controls would apply – each situation is unique to each merchant and should be considered independently.
With that said, a QSA is in the best position to help an organization identify and document an appropriate compensating control when the organization realizes that there is a particular PCI control that it cannot meet. If you are struggling with implementing or maintaining certain PCI controls due to cost or limitations within your technical environment, staffing model, or business applications, consider working with a QSA to identify a more reasonable alternative.
To learn more about reducing the cost of PCI compliance regulations, download our free guide, PCI Compliance Guidelines Explained. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.
LBMC Information Security reviews compliance efforts, can test to assure compliance and can help your team develop an action plan to remediate compliance. If you have questions, please contact us. Learn more about our PCI Compliance services.
Get a Quote for PCI Services
Ready to move ahead with your PCI project? Answer 9 questions and get a quote for your PCI compliance needs.
Download LBMC's PCI Compliance Guide
Download our guide, PCI Compliance Guidelines Explained, for more ways to stay up to date with PCI compliance for your firm.