Dec 26, 2016
Many organisations treat PCI compliance as an expensive, stressful and time-consuming annual event. In the scramble to achieve compliance, you can feel like you’re paying out left and right for whatever is needed to get through the assessment.
Today I’m looking at what organisations can do to reduce the costs associated with achieving PCI compliance.
What are the Costs Associated with Achieving Compliance?
The costs of PCI compliance vary depending on your company and the security measures you have in place. But while there’s no exact cost for becoming PCI compliant, costs associated with compliance typically fall into three categories:
- Technology – upgrading applications, networks, firewalls, monitoring tools etc.
- PCI DSS validation costs – assessments or scans.
- Compliance maintenance – ensuring your company continues to adhere to PCI standards year-round, keeping up-to-date with documentation and changes.
How to Reduce PCI Costs
While your PCI validation costs will be fixed, you can make changes to the way your company addresses security to bring down the costs associated with achieving compliance.
1) Install Updates
When software gets outdated it quickly becomes vulnerable to attack. If you leave it a whole year between updates, bringing all your software and systems back up-to-date with the latest version will be a huge task for your security team, probably requiring them to work overtime or bring in additional staff to cover the extra workload.
This means staffing and technology costs will mount up. In contrast, if you install updates and patches regularly throughout the year, it will form part of your security team’s normal, manageable workload so you won’t end up paying extra for it. 2) Invest in Developer Training
Security training is crucial for maintaining compliance. Your development team should receive role- or language-specific training, as this will be more actionable for them than general security training.
Many vulnerabilities that make it into finished applications can be detected and remediated early-on in the development process. Teaching your developers defensive coding will reduce remediation costs – it costs 30x more to fix a vulnerability during post-production to fix a vulnerability during post-production compared with during the analysis stage of the software development lifecycle. 3) Update Your Knowledge
It’s up to you to ensure that your organisation remains up-to-date with new vulnerabilities and threats as they emerge, and to incorporate appropriate measures into your secure coding practices. It’s also your responsibility to keep up with the changing PCI requirements and security best practices.
This will remove the risk of getting to your PCI compliance assessment and finding out that the standards you’ve been working to are six months out of date. The biggest cost relating to PCI compliance is failure – if you fall short of the standards you’ll need a reassessment, which usually involves an audit, which will be time-consuming, disruptive and expensive. 4) Take Advantage of Compliance-Specific Security Courses
Some PCI compliance standards can cause real headaches for organisations. To streamline your compliance assessment, it can be incredibly helpful to send key personnel on PCI-specific training courses – allowing them to understand the ins and outs of the most important compliance risks facing your organisation.
This will reduce the risk of you requiring reassessment or a costly audit, and help to foster a security-conscious culture in your organisation.