January 8, 2010

Clearing the Mystery of PCI Compliance – Final Thoughts

Posted by 2Checkout Category Icon2Checkout Category IconTechnology

In previous weeks we have been looking at how to become PCI compliant. I will confess, that starting on this article series I knew next to nothing about PCI DSS. Research for this series was, for me, very educational. The first thing I realized was how involved and complicated compliance can be. The next, and more important realization is that compliance is a process, and never actually ends. From SearchSecurity.com:

“Compliance is not something that’s bought; it’s a process. It never ends, and it needs to stay in lock step with the changes happening in a dynamic business. Understanding direct costs will probably require additional headcount to pull proper reports and document the program. It also may require investment in some software tools to mine through all the data that is generated by systems, networks and applications.”

One goal of this article series was to provide a reliable “bottom line” financial investment in becoming and maintaining PCI compliance. The more I learned about the industry that specializes in compliance the more difficult it was to find solid, or even estimated, pricing. What I found easliy matched the research that was released by Gartner and reported in the PCI DSS Compliance Blog.

“Level 3 merchants, those processing between 20,000 and one million transactions per year, spent an average of $155,000, excluding security assessment.”

In doing this article series, I gained a better understanding for both our internal security procedures (electronic keyed entry, guests signed in, frequent password changes, etc.) as well as the job that Warner and his team does to make sure that every transaction that passes through our network is as secure as current technology allows. Warner was an amazing resource for this series. When I came to the point where the PCI regulations seems beyond comprehension, or a solution was difficult to find, they were able to clarify the instructions or give direction to products or services that would help. I likely would have given up the series at the 3rd article if I didn’t have access to a group that manages these details daily.

Even though I am finished with this series, and will not have to actually become PCI compliant personally, PCI compliance doesn’t actually ever end. If we were really starting a business with a traditional merchant account, we would just be getting started at this point. As the PCI DSS Compliance Blog perfectly states:

“PCI compliance is dynamic, requiring ongoing adaptation. PCI compliance starts with a set of 12 basic requirements, it continues with vigilance and adaptation, and it ends with….well, it doesn’t end.”