Maybe it’s because I grew up in the Midwest. But I just don’t like writing checks to lawyers.
I’ve lots of friends in the legal profession, and all are lovely people (well, most of them, anyway).
But as the pragmatic sort, it pains me to spend money to resolve something that might have been settled at a lesser price well before.
Which leads me to the topic of PCI.
Just reviewed a 2010 study from the data security experts at The Ponemon Institute that looked at the post-incident cost of data breaches. Forget, for a moment, the brand humiliation, the CEO news conferences, the critical whiplash in the blogosphere and throughout Facebook. Ignore, for a moment, that research suggests that 30% of consumers who were victimized by retailer data breaches promise never to patronize the offending brand again.
The Ponemon research found that 42% of all data breach incidents led to the involvement of a third party (there to provide additional, independent investigation, resolve disputes, and soak up consulting fees.)
The average cost of that third party involvement in the United States was $1.52 million, with final resolution costs ranging from $750,000 to upwards of $31 million. That’s on top of lost business estimated at $4.47M per incident.
Total: $6M. Perhaps not fatal to a billion-dollar business, but not a check I’d like to request.
Yes, I know that active, careful PCI compliance is no guarantee. And that active, careful PCI compliance doesn’t put revenue on the top line. And that there’s ongoing confusion about PCI for mobile. And everyone thinks it’s all too expensive. And on and on and on.
But I also know this: active, careful compliance reduces risk. Significantly.
And that the price of risk is not just a bruised brand.
While there is a world of difference between a deck of 52 and a deck of credit cards, it is still wise to hold those payment cards close to the vest. A solid part of protecting those cards from prying eyes is ensuring your insurance firm is compliant with the Payment Card Industry’s Data Security Standard.
Is PCI compliance important to insurers? Every carrier CTO and CIO I have asked has said , “Yes, it is…and we are working on it now.” I’d venture to say, as with all compliance and risk management it is not a one-and-done effort, as regular reviews are required.
Today, April 14, 2011, Cisco announced its newest work in the area of helping companies across all industries comply with the PCI DSS 2.0 guidelines. And since the PCI DSS guidelines apply to all companies—including insurance—that transmit, process or store credit card transactions and cardholder information, I’ve recorded a video in which I discuss the PCI DSS standard and its applicability to insurance.
Cisco is at the table with its customers when it comes to enabling PCI compliance and is an active member of the Payment Card Industry Securities Standard Council’s Board of Advisors. We completed a new Cisco Design and Implementation Guide that includes 30+ Cisco and technology partner products that have been examined by an auditor.
Technologies involved in the assessment include core routing, switching and wireless, plus collaboration and physical security technologies.
Many people wonder what it takes to be PCI compliant. More importantly, people want to know the difference between PCI, FISMA, DIACAP and STIG. With so much alphabet soup, one has to wonder what it all means, and what is the best way to navigate these waters.
I’m not here to provide you with all the answers, but I can certainly help you to understand where PCI fits into the picture.
Last week Carol Ferrara Zarb, industry solution manager sat down with me and talked about the work being done at Cisco around helping merchants address the Payment Card Industry Data Security (PCI DSS) 2.0 standards released last year.
Cisco will be hosting a webinar april 14th 10:00am PT hosted by Lindsay Parker, global director of retail industry marketing with guests including:
Christopher Novak, Managing Principal, Investigative Response, Verizon Business Security Solutions
Danny Dhillon, Principal, Security Engineer, RSA
Rob McIndoe, Senior Security Consultant, Verizon Business Security Solutions
where Carol Zarb and Cisco retail architect Christian Janoff will discuss Cisco’s solution to help merchants address and maintain PCI compliance.
Some facts about Cisco and Payment Card Industry Data Security Standards (PCI DSS)
I was reading an article recently about what auditors really think about the security and compliance requirements that they test for when doing a PCI DSS compliance audit. I was more than a little surprised to read that over 60% of the 505 auditors in the study referenced said the organizations they audit don’t believe compliance improves their data security effectiveness. I’m a bit perplexed by that. After all, there are only 12 requirements in the PCS DSS specification, and they seem pretty straightforward and simple to me. Read More »