Placing a value on this distrust is difficult, but Ponemon estimates that the cost of losing customers combined with the difficulty of recruiting new ones after a data breach averages $75 for every customer record lost. When considering high-profile breaches — like the one at CardSystems, which affected as many as 40 million accounts — the financial impact is astronomical.
All online merchants and service providers that store, process or transmit major credit cardholder data must comply with the Payment Card Industry (PCI) Standard. Published in December 2004 as a joint effort between all major credit card associations — including Visa, AmEx, MasterCard and Discover — the PCI Standard combines technical, physical and administrative controls; educational requirements; policies; and regular audits to create a strong basis for cardholder data security. Member financial institutions are responsible not only for their own compliance, but also for ensuring the compliance of their merchants and service providers for all payment channels, including in-store, mail/telephone-order and ecommerce.
For organizations that handle cardholder data, compliance with the PCI Standard is as mandatory as the Sarbanes-Oxley Act and Gramm-Leach-Bliley legislation. However, there are some major differences when comparing the audit and enforcement implications. For example, the PCI Standard is published and enforced by the credit card associations through their respective programs. Non-compliance is not punishable by law and is not enforced by the state's attorney general or federal agencies. Alternatively, auditors from the respective credit card associations determine an organization's compliance — at the organization's expense.
Don't be fooled into thinking these differences make PCI enforcement irrelevant. Auditors from the respective credit card associations determine an organization's compliance and can levy fines and penalties for PCI non-compliance immediately and arbitrarily, without going through the court system. Non-compliance is costly, ranging up to $500,000 in violation fees, possible suspension or revocation of a company's right to accept or process credit card transactions, and loss of reputation and potential revenue. And the FTC is getting involved too, taking action based on its "unfair trade practices" rule.
Because of its level of detail, PCI introduces a variety of significant implementation challenges. One of the more evident is change management. PCI Standard change control requirements affect all systems and network components, underlining the importance of related processes and procedures.
Without strong change control processes, the ability to identify, investigate and roll back undesirable changes is almost non-existent, and the stability and reliability of the technology infrastructure is greatly hampered. Therefore, PCI auditors want to see that member organizations have effective change management controls in place.
However, effective change management controls require more than just process. Continuous validation of changes as they occur must follow, usually through the use of change auditing tools and daily review of change reports. This creates a necessary feedback loop, providing the information needed as part of a compliance audit.
Barak Engel is principal of Engel & Associates.