More than 280 million payment card records were breached in 2008 alone and a large percentage of those stolen records were used fraudulently. In fact, the underground economy is teeming with stolen payment card data. Some controls are in place to help card payment processors prevent credit card fraud through increased controls around data and by limiting potential exposure to compromised information records. The Payment Card Industry Data Security Standards (PCI DSS), for example, are widely considered to be a worldwide set of best practices for securing sensitive data. PCI DSS procedures are an essential component in any merchant’s holistic risk management program—but they are not without their burdens and limitations.
More than a billion dollars. That’s how much money merchants have collectively spent on PCI DSS compliance as part of their security systems.
Indeed, PCI DSS compliance is a resource-intensive challenge to businesses of all sizes. According to the analyst firm Gartner, a Level 1 merchant (generally defined as a merchant that annually processes 6 million or more Visa® or MasterCard® transactions) might spend millions of dollars to initially meet the security requirements prescribed by the PCI Security Standards Council (PCI SSC). Even a Level 4 merchant (commonly defined as a merchant that annually processes fewer than 20,000 eCommerce or 1 million Visa or MasterCard transactions) might have to spend several thousand dollars on the initial security assessment and new technology and security measures.
Meeting the security requirements is just the start; maintaining PCI DSS compliance is a continuous process that requires constant vigilance and incurs ongoing costs.