For those of you who have been in the industry for any length of time likely remember the days when compliance was nothing more than a check box to most. If you were honest with yourself, there was often more you could do to be “compliant” but the box was checked and no one was really looking over your shoulder. Although some may argue, even the most secure environments still fell prey to hackers, yet were considered compliant. Let’s use the example of PCI DSS 3.0 / 3.1. Although not perfect, PCI DSS 3.x has come a long way to helping merchants be more secure yet achieving compliance attestation.
The problem with PCI DSS 3.x is not with the goals and objectives, but the complexity of the overall requirements and the resources of time and budget required to be complaint. Assuming your goal is to work with a Quality Security Assessor Company(QSAC) that strictly follows the PCI guidelines, the labor required to properly audit has more than doubled due to the increased 3.x requirements.
Considering that the Data Security Standard itself has almost doubled in controls to more than 400, the amount of mandatory evidence required, mandatory onsite review, penetration testing requirements have increased and validation of “out of scope systems” have caused many vendors to consider moving away from PCI – or even worse, finding a QSA that will cut corners. In the short term, finding a PCI Qualified Security Assessor (QSA) that provides a low cost audit sounds beneficial, but consider the repercussions of a cyber breach (costs to investigate, remediate, notify affected, pay for monitoring and possible fines/legal action, and loss of business due to reputational damage) realizing that it’s your obligation to provide evidence of your own compliance, vendor management process, incident response, etc. If in reality, you are not compliant, the low-cost QSA doesn’t take the fall – you do! Add fines of up to $50,000 per month for merchants not being compliant, low cost audits may cost you far more than they save.