PCI and Handling Sensitive Cardholder Data—Why You Care

The cost of Payment Card Industry Data Security Standard (PCI DSS) compliance is vastly underestimated—but maybe not as understated as the tangible and intangible costs of a data breach. Every merchant that accepts payment cards has a cardholder data environment (known as CDE, or the computer systems and applications that use or store sensitive card data) that comes under the purview of the PCI DSS. It’s possible to limit—and even shrink—the scope of the CDE in order to reduce or minimize the merchant’s PCI burden.

Merchants that accept debit, credit and prepaid cards are acutely aware of an additional burden placed on their businesses starting in 2006. This is the year that the Payment Card Industry Security Standards Council (PCI SSC) began publishing stringent, resource-intensive requirements concerning the security of handling and storing sensitive cardholder data. Since then, merchants have collectively spent in excess of $1 billion on compliance with the PCI DSS as part of their security programs.

PCI DSS compliance includes a long list of requirements and is a significant responsibility for businesses of all sizes. The security requirements cost the largest merchants (Level 1), on average, $2.7 million, according to the analyst firm Gartner Inc. Even small merchants (Level 4) might have to spend several thousand dollars on the initial security assessment and new technology and security measures. What’s more, maintaining PCI compliance is a continuous process that requires constant vigilance and incurs ongoing costs. The penalties for non-compliance can be severe, including the merchant’s loss of the ability to accept credit card payments and being audited and/or fined.

Still, the relentless drive to protect sensitive cardholder data is vital. Losses stemming from data theft are on the rise. According to the Ponemon Institute, the average cost of coping with a data breach in 2008 rose to $6.6 million—a 40 percent increase since 2006. Moreover, the threats are evolving as organized thieves use ever-more-sophisticated techniques to hack into more merchants’ systems to steal sensitive data. All parties involved in processing card transactions have an obligation to continually improve their data security techniques.

One of the top reasons a merchant is most likely to fail a PCI audit—and a leading factor in data theft—is the failure to adequately protect stored data. VeriSign Global Security Consulting Services, a division of security services vendor VeriSign, has conducted hundreds of PCI assessments in recent years. Of the merchant companies assessed by VeriSign, 79 percent were cited for the failure to protect stored data and thus failed their assessments.

The challenge for merchants is finding and implementing a solution or set of solutions that adequately protects sensitive cardholder data at rest and in motion that meets the requirements of PCI DSS and that doesn’t slow or impair business processes or decrease profits.