Data Breach Cost Numbers Games
Written by Evan SchumanJanuary 28th, 2010
Over the last few weeks, one of the most common questions we're hearing discussed is "Is PCI really worth it?" These are multi-billion-dollar retail chains asking this question. But there's a lot more behind the question than it might initially seem.
In a marked contrast to the same kinds of questions two years ago, the intent is not to ignore security. Indeed, many of the chains considering such a heretical question are already putting in place security procedures that go well beyond current PCI requirements. This isn't a safety or security issue. It's a simple CFO's ROI balance sheet, contrasting the bureaucratic and paperwork costs of dealing with the very formal PCI procedure with the limited fines and other bad things that will happen if a chain suddenly stops pursuing PCI compliance. A report released this month from Ponemon tried to quantify the cost of breaches today, but its conclusions are rather underwhelming.
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
6 Comments | Read Data Breach Cost Numbers Games
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Ed
January 28th, 2010 at 8:46 am
You rightly point out that there is no safe harbor through compliance – you are compliant until you are breached, and then you are not. Retailers I work with are wondering “If we implement rational security practices, who cares about compliance?”, and that is hard to argue with. In essence, PCI compliance has become less of a data security exercise, and more of a fine avoidance strategy.
Add to the ROI the unexpected reality of lots of small retailers having to complete SAQ D (think IRS 1040 long form return without TurboTax) and PCI has a serious problem!
January 28th, 2010 at 1:28 pm
The PCI DSS is meant to help organizations put security practices in place. Implementing security best practices will lead to compliance. Although the PCI DSS is not a flawless approach, it has brought a much higher awareness to the importance of securing data.
“Don’t forget that breaches don’t cost anything until they’re discovered.” This statement is completely false – it can cause a lot of damage to a cardholder, regardless of whether the source of the breach is determined.
January 28th, 2010 at 2:16 pm
Editor’s Note: Hi, Christine. I think you misinterpreted the line you quoted: “Don’t forget that breaches don’t cost anything until they’re discovered.” That statement was in the context of what kind of losses did retailers report to the survey. If the XYZ chain doesn’t know about a breach yet, they obviously can’t spend any money yet on cleaning it up or handling communication or paying for lawyers. They may be suffering damages now, but they don’t know it yet. And if they don’t know about it yet, they can’t discuss it in a survey.
January 29th, 2010 at 11:57 am
I am troubled by the potential implication that non-compliance at compromise is some sort of scam:
“PCI and Visa have made a habit of finding some reason to conclude that anyone who has been breached and had been certified as PCI compliant was never really compliant”).
It is rather dramatic proof that (a) MAINTAINING compliance is harder than ACHIEVING compliance.
PCI compliance is a point-in-time assessment. It’s not like freeze-tag when we were kids. Everything keeps moving both during and after the assessment. Businesses change. Hardware and software are added. Users come and go. Fail ONCE and you’re not compliant. And from the presentations at the community meeting last year, forensics investigators don’t see companies who ONLY failed once. The trend seems to be that compromised entities failed all over the place. They had all the information needed to detect the compromise, but weren’t following their own procedures. Users weren’t deleted. Configuration standards weren’t maintained. Log files weren’t reviewed. The list goes on.
Once an organization achieves PCI compliance it has built a control structure complete with checks and balance. Controls require approvals. Approvals create delays. Delays impact agility. Programmers can no longer rush code into production, they have to complete structured tests and migrate in the weekly change control window. Users can’t “phone a friend” for system access, they have to have the approval of the resource owner. Hardware builds have to comply with baselines before attaching to the network (and again, migrate through change control). And a hundred other examples. All of these measurably slow progress. This subsequently incents otherwise decent, hard-working employees facing tight deadlines and pressured to do more with less to behave perversely. In this case, perveresely is defined circumventing controls hindering them while providing them no perceived benefit that are nevertheless necessary at the macro level for the protection of the organization. Marv Carlson, my Management Controls professor, had a name for this situation that I have always loved – “dysfuncntional consequences of a control system”.
Other misconceptions are also in play here including “compliant = secure” and “PCI is an IT problem”. But those are topics for another day…
January 31st, 2010 at 5:41 pm
Data fraud is a crime that cannot be eliminated. The best we can do is to minimize risk and exposure. I believe the card associations are doing what they can, but data security is a work in progress and still has too many gray areas. Try asking for clarification on something and you will get five different answers, depending on who you ask and what day.
While “safe harbor” sounds good, the key words are “compliant at the time of the breach.” Somehow those two things do not seem to go together; therefore, in my opinion, there is no such thing as safe harbor.
February 4th, 2010 at 8:44 pm
The PCI debate mostly stems from confusion caused by a lot of people that comment on PCI without understanding it. Anyone who looks at the PCI DSS which is on the PCI web site can see that many requirements have to do with business practices, policies, and procedures. Being compliant means you’re actually doing all those things at all times. Getting validated means investigating samples and checking in “Yes” on a self-assessment form or an outside QSA does it.
Companies that only care about validation are getting away with not being compliant by avoiding enforcement. It’s like putting on your seatbelt or butting down your phone when you see a police car. Sure you don’t get busted by the police, but you’re just setting yourself up for a tragedy the rest of the time when you slam into something and look up wondering how much damage occurred. If a company rushes to produce samples for PCI validation week, those samples are misrepresentative, meaning the validation process was abused and the company really isn’t compliant. The rest of the systems aren’t compliant. Policy and procedure adherence really isn’t happening causing further lack of PCI DSS compliance.
I’d like to add on that the now removed Visa safe harbor provision only applied to fines from Visa and it did state that they had to be compliant at time of compromise. With all the confusion between compliance and validation, I can understand why.