There’s one big problem for IT departments seeking guidance related to PCI DSS 2.0. The best advice, as Payment Software Co. principal Tom Arnold points out, is often “it depends.”
That makes it difficult for companies trying to get definitive answers on budgeting for IT expenditures connected to PCI DSS, Arnold said during a recent webcast exploring IT impacts under PCI DSS.
“Depending on the technology being used, depending on the environment and how the environment works and specifically how your business model works, there can be variances,” Arnold said.
PCI DSS 2.0 requirements affect IT costs due to an expansion of existing requirements (increased testing procedures) and a redefinition of past requirements (a greater emphasis on processes), Arnold said. There were new requirements as well, such as the introduction of metrics to evaluate vulnerabilities. Increased regulations surrounding network security, protecting stored data and developing secure systems and applications can impact capital expenditures as well, Arnold said.
The new and revised requirements have logistical effects as well. Arnold estimated that collecting evidence for a PCI DSS compliance assessment could now take twice as long as before. Also, reporting requirements on Qualified Security Assessor (QSA) mandates require a large amount of additional information. This could result in PCI DSS compliance budgeting to be two to three times higher than in previous years, Arnold added.
To deal with these changes (and the extra funds involved), Arnold advises companies to:
- Engage a QSA to perform gap analysis based on PCI DSS 2.0 requirements.
- Define architecture to close gaps between requirements and areas that are lacking.
- Define solutions for both retail and remote sites.
- Identify capital exposures surrounding PCI DSS 2.0.
- Budget appropriately for exposures (and plan to implement them by Jan. 1).
Despite this sound advice, the “it depends” factor still looms. This subjectivity fueled significant criticism of PCI DSS and PCI DSS 2.0, with some critics saying that the rules were too dependent on the makeup of organizations trying to achieve PCI DSS compliance. It doesn’t help that companies already tightening their belts face the added expense of adapting to the new PCI DSS 2.0 requirements.
Still, following the PCI DSS rules could benefit a business’ bottom line. As recent data breaches have shown, not adequately protecting customer information can be quite a bit more costly than spending on compliance.