Though a few large merchants fail to achieve compliance with the Payment Card Industry Data Security Standard, many rely on alternative compensating controls to comply, according to a report released today by Thales Group and the Ponemon Institute. Many large merchants also are paying an average of $225,000 per year for PCI audits, according to the report.
Only 2% of large, Tier 1 businesses fail compliance audits and 98% pass, according to “PCI DSS Trends 2010–QSA Insights.” However, 41% rely on temporary compensating controls to meet PCI requirements, according to the report. The Ponemon Institute, a Traverse City, Mich.-based research group, surveyed 155 qualified security assessors for the report.
A compensating control is an alternative measure a merchant may take to achieve compliance with the standard if it is unable to comply with the requirements as written. Qualified security assessors must approve the control.
A Tier 1 merchant processes more than 6 million Visa transactions annually, and Visa requires qualified security assessors to complete annual reports on compliance for such retailers.
The average cost of an assessment for Tier 1 merchants, excluding technology, operating and staff costs, is $225,000 per year. Ten percent of Tier 1 merchants pay $500,000 or more annually for PCI audits, according to the report.
More than half of surveyed qualified security assessors’ merchant clients, 54%, find compliance with the standard too costly, while 20% are satisfied with compliance costs, according to the report. The report uses information qualified security assessors have learned from their merchant clients to arrive at the percentages.
If the assessors were unable to approve compensating controls and had to adhere strictly to guidelines, “there would be a lot more failures reported,” says Larry Ponemon, Ponemon Institute chairman and founder. “The fact that compensating controls are being made to get to compliance means organizations have a lot of gaps that need to be filled,” he says, noting the percentage of merchants using compensating controls was higher than he expected.
Ponemon compares compensating controls and PCI compliance to a student receiving a failing grade on an exam, but then the professor allows the student take the test home and change the answers to achieve a passing grade.
A classic example of a merchant needing to use compensating controls is when it has legacy systems unable to meet modern security requirements, says Kevin Bocek, director of product marketing at France-based Thales. A merchant that has been accepting card payments for 40 to 50 years likely has systems that are unable to use encryption, “so the compensating control there could be other security systems in place that would need to live up and be above and beyond what the PCI DSS might have intended,” he says.
For example, such a merchant may have to place heavy restrictions on who has access to card data as a compensating control, says Bocek.
Qualified security assessors are among the most-important aspects of the PCI-compliance progress because “when it comes to compensating controls they are the ones that must agree they live up to the specs the PCI standard intended,” says Bocek.
More than half of large merchants, 52%, are not managing data privacy and security in their organization, according to the report. Many merchants operate in “reaction mode” and “spend most of their time fighting fires and fixing problems,” which means they are not thinking proactively about how to implement good data-security practices,” Ponemon notes.
The goal is to get merchants thinking about how to protect card data and not just about gaining compliance with industry security standards, says Bocek.
