Can A Good PCI Strategy Be Based On Saving Money?

Written by Evan Schuman
September 3rd, 2008

Guest Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

It seems clear that most retailers are adopting one of two distinctly different strategies when it comes to data security and compliance. Let’s label them Cost-Effective Compliance (CEC) and Compliance-Driven Security (CDS). Although both approaches are based on best practices and solid risk management principles, they lead to quite different spending patterns, technology decisions and business cultures.

Key questions include: Is one approach "better" than the other? Where does your company fit? What should you do next?

Cost-Effective Compliance (CEC): Despite it’s name, in practice CEC is not about being "cheap" or trying to do security "right." It’s a very pragmatic strategy, where IT and the CISO do not assume they have a blank check. Nor do they use PCI or the threat of breaches to justify buying more technology. Where I have seen the strategy be most prominent is when the CIO has a background in business management and works closely with the CFO and when both executives have a similar view of the role of IT. This applies to many retailers, where merely having to comply with a law or standard is not enough to either get a project funded or keep it funded.

At these firms, project managers have to quantify the business value, threats and risk levels associated with each of the major PCI controls. The rationale is that for some "low risk" control areas, you should spend just enough to pass, while for other areas, a higher risk level or greater business value can justify "above and beyond" spending levels. For SME retailers who can barely afford to spend anything on security, a "package" of security products or services that addresses their issues is the very essence of a CEC strategy.

Impact of CEC on Security Decisions: A CEC strategy can be turned into a series of "rules" to help retailers decide whether to implement a particular control. Essentially, making CEC work requires little more than a classic "rank-ordering" of security projects based on the level of protection and compliance offered for the money. For example, data purging gets a very high score on a CEC ranking simply because it costs almost nothing and results in huge reductions in risk, liability and PCI scope while increasing compliance.

Outsourcing, on the other hand, is really a shifting of risk from the IT department to Legal, Sourcing or Vendor Management. Considering that PCI DSS 1.2 is likely to mandate physical visits to service providers, the cost-effectiveness of security or payment outsourcing is actually going to be reduced.

Impact of CEC on Vendor Decisions: Although CEC is not about being cheap, we definitely see merchants who practice CEC buying more open-source security tools. Not just any tools and not just because those tools are "free," though. Rather, the merchants’ analyses of the risk and compliance ROI can only justify, for a particular control, a specific level of spending. Many merchants and service providers have difficulty determining the cost-effectiveness of specific brand-name software or services. The result is that if they cannot justify the incremental cost based on value delivered or proven functionality, then they will buy a less-expensive product. In 2009 and beyond, we expect that it will become harder to sell "compliance checklist" products or services and that most decisions will be made on manageability and cost-effectiveness metrics.

Compliance-Driven Security (CDS): Dozens of retailers believe that PCI helped them get the security tools they had been telling upper management they wanted for years. But this strategy goes way beyond buying new technology "toys." In fact, the best uses we’ve seen of a CDS strategy are at organizations where a security architecture already exists. In these cases, CDS becomes a unifying force in filling in any "gaps" in the architecture, upgrading existing products, and improving documentation and policy enforcement.

Another value of a CDS strategy is that it can be used to help explain and manage "cross-compliance" issues such as the application of PCI controls to protect social security or employee healthcare data.

Impact of CDS on Security Decisions: Merchants employing a CDS strategy typically use a giant spreadsheet, where PCI, SOX, HIPAA, PIPEDA and a bunch of other laws and regulations are on one axis, the specific controls they mandate are on the other axis, and the software and services which implement these controls fill in the matrix. The goal of this matrix is to identify which technologies, policies and procedures meet which controls. This tool is very handy in identifying redundancies. Creating these spreadsheets is difficult for most retailers, but they can be purchased from consultants if necessary. Just filling one in properly can be a useful exercise, and it should be almost a necessity for any Level 2 or 3 merchant as part of filling out a PCI self-assessment questionnaire.

Impact of CDS on Vendor Decisions: Once the merchant has filled out the "compliance matrix" or filled in a comparable Web-based questionnaire, the search for "multi-compliant" software and services begins. The goal is to work with vendors who will help the merchant avoid compliance silos by demonstrating and providing the reporting tools for multiple standards, laws and regulations. Again, we are seeing compliance reporting and flexible configurations that can be changed as new versions of standards (e.g., PCI 1.2) or laws emerge being very important in selecting software and services for merchants who are employing a CDS strategy. This tends to drive merchants away from open source and more "basic" solutions that typically offer less flexibility in favor of lower cost and a simpler management interface.

The bottom line on these two compliance/security strategies is that both will lead to compliance and both have many "best" practices associated with them. The difference is that CEC will likely cost merchants less in the near term while CDS offers greater flexibility at a somewhat higher cost to a merchant faced with a broader range of compliance requirements. Although one could argue that there must be a "hybrid" strategy, in most cases, the fundamental goals of CEC and CDS are in conflict, which makes such a middle-ground approach impractical.

By the way, if you’re a retailer, we want to get you involved in the best practices study we’re doing for the National Retail Federation. If you’d like to participate, send me an E-mail at or visit the PCI Knowledge Base.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.