Recently there has been a series of news items as enterprises announce they have been breached and their sensitive customer and financial records compromised. According to Verizon 2011 Breach report 92% of the attacks were external and 76% of all data breached came from servers. The PCI Security Standards Council is an open global forum formed in 2006 that is responsible for the PCI Data Security Standard (PCI DSS), a standard that is designed to protect cardholder data.
I sat down with Lindsay Parker, Cisco global retail industry director about Cisco’s current investments and efforts to help retailers and merchants secure customer credit card data and maintain compliance with PCI DSS.
Maybe it’s because I grew up in the Midwest. But I just don’t like writing checks to lawyers.
I’ve lots of friends in the legal profession, and all are lovely people (well, most of them, anyway).
But as the pragmatic sort, it pains me to spend money to resolve something that might have been settled at a lesser price well before.
Which leads me to the topic of PCI.
Just reviewed a 2010 study from the data security experts at The Ponemon Institute that looked at the post-incident cost of data breaches. Forget, for a moment, the brand humiliation, the CEO news conferences, the critical whiplash in the blogosphere and throughout Facebook. Ignore, for a moment, that research suggests that 30% of consumers who were victimized by retailer data breaches promise never to patronize the offending brand again.
The Ponemon research found that 42% of all data breach incidents led to the involvement of a third party (there to provide additional, independent investigation, resolve disputes, and soak up consulting fees.)
The average cost of that third party involvement in the United States was $1.52 million, with final resolution costs ranging from $750,000 to upwards of $31 million. That’s on top of lost business estimated at $4.47M per incident.
Total: $6M. Perhaps not fatal to a billion-dollar business, but not a check I’d like to request.
Yes, I know that active, careful PCI compliance is no guarantee. And that active, careful PCI compliance doesn’t put revenue on the top line. And that there’s ongoing confusion about PCI for mobile. And everyone thinks it’s all too expensive. And on and on and on.
But I also know this: active, careful compliance reduces risk. Significantly.
And that the price of risk is not just a bruised brand.
Last week Carol Ferrara Zarb, industry solution manager sat down with me and talked about the work being done at Cisco around helping merchants address the Payment Card Industry Data Security (PCI DSS) 2.0 standards released last year.
Cisco will be hosting a webinar april 14th 10:00am PT hosted by Lindsay Parker, global director of retail industry marketing with guests including:
Christopher Novak, Managing Principal, Investigative Response, Verizon Business Security Solutions
Danny Dhillon, Principal, Security Engineer, RSA
Rob McIndoe, Senior Security Consultant, Verizon Business Security Solutions
where Carol Zarb and Cisco retail architect Christian Janoff will discuss Cisco’s solution to help merchants address and maintain PCI compliance.
Some facts about Cisco and Payment Card Industry Data Security Standards (PCI DSS)