If you’re wondering how to get board support and budget for your PCI DSS compliance project, you might want to refer to our Prime Minister, Malcolm Turnbull.
Mr Turnbull made an impassioned speech this month about the internet and how it had changed our lives for the better. He said, “There is no global institution or infrastructure more important to the future prosperity and freedom of our global community than the internet itself.”
But he also issued a warning. “The challenge we face is that the same qualities that enable us freely to harness cyberspace for prosperity can also provide an avenue for those who may wish to do us harm,” he said, adding that as a nation we need to pay more attention to cyber security and pointed to the costs of cybercrime to the nation.
Of course, your organisation’s board would be well aware that the Payment Card Information Data Security Standard (PCI DSS) is a global information security standard applying to any business or service provider that stores, processes or transmits credit card data. The standards were created by the major credit card schemes and are enforced by the banks.
The Australian Crime Commission, the Prime Minister pointed out, estimates the annual cost of cybercrime to Australia is more than $1 billion in direct costs, but some estimates put the real costs to be as high as one per cent of GDP a year – or about $17 billion.
The PM also praised a national retailer for being “upfront” about the security breach they’d experienced. “A criminal group exploited vulnerabilities in retail websites to extract customer information,” Mr. Turnbull said. “KMART Australia was one of those organisations and reported this to the Privacy Commissioner. I want to commend KMART for being up front about the intrusion.”
As KMART Australia is well aware, data breaches and the costs associated with that continue to rise significantly. Mr. Turnbull went on to encourage business leaders to build a national cyber partnership.
So how does this all fit in with convincing your board to go ahead with what’s required for PCI DSS compliance project, including an appropriate budget?
Well, you can point to many things including: cybercrime is becoming increasingly sophisticated and all business are vulnerable; the average cost per card, once a security breach has occurred is about $145; the costs and PCI DSS regulation requirements become more stringent once a security breach has occurred; and most serious of all, the ongoing impact and financial burden to your business can be sizeable long after the hackers have targeted your IT environment.
Over the years we have seen many effective and ineffective approaches in this area, some of the common themes across successful projects are:
- Don’t focus on PCI DSS certification, focus on the customer & brand protection, as this often generates broader board appreciation compared to a “cost generating certification program”.
- Another approach is to develop an understanding and appreciation of the potential business impacts of a data breach by asking the board what they would do if for example card data from a hundred thousand customer was stolen, what would there media response be, are they ready for the financial consequences. Another option is to incorporate this into the businesses crises management plan.
- Use advanced scanning platforms such as IP Solutions scanning service to quantify the scale of the company’s financial exposure. Companies nearly always underestimate the number of credit cards they have exposed across their systems. Scanning will clearly identify the number of cards exposed and their locations, this data can then be used to calculate potential financial exposure (multiply the number of expose cards by $145 dollars to start developing exposure estimates).
- In Australia the average cost per compromised card lost or stolen was $145 dollars
Source: Cost of Data Breach Study Australia (2014)
One of my favourite experiences in terms of getting executive support, was with one of our large Level 1 businesses, a senior manager went to the board with their complete credit card numbers and highlighted that over 1,000 staff could access the information in less than two minutes, it was quite a successful approach.