PCI DSS: How to Do More With Less

by Brad Davenport on 12/18/2008

My colleague, Paul Stamp, recently shared his thoughts on the global economic downturn and the fact that it is making many organizations concerned that their IT security budgets will be cut.  Echoing Paul’s observations, almost all the customers I’ve spoken with have not seen their PCI budgets cut, but that is not to say they aren’t concerned.  Many have expressed a desire to stretch their dollars further, asking the question, “When it comes to PCI and my other security and compliance initiatives, how can I do more with less?”

While people’s individual opinions about the PCI DSS vary significantly, the fact is the Standard is here, the fines and penalties are real, and achieving and maintaining compliance often requires significant investments.  While these penalties certainly cause some pain and angst, they do help security organizations secure budget.  And these dollars can add value well beyond the cardholder environment.

In the past six months, I’ve seen merchants, banks and service providers of all sizes embrace the fact that the security best practices forming the core of the PCI DSS align very nicely with the other regulatory requirements organizations are facing (HIPAA, GLBA, Local Breach Notification Laws, SOX 404 etc) as well as internal, customer and partner security policies.  When these organizations use their PCI budgets to procure security controls, their goal is not to merely satisfy their PCI obligations but to exploit the similarities between PCI and many of the other regulations they face and leverage these controls across different data types and infrastructure domains.

What’s the result of approaching PCI with an eye on best practices vs. disparate sets of requirements for specific types of regulated data?  By leveraging the security controls needed for PCI compliance across the entire business, organizations can reduce the total number of controls in place (e.g. one logging platform for PCI and SOX environments vs two disparate systems).  The goal is to reduce the number of total controls in place to the lowest number reasonably possible – making it possible to do more, with less.