Posted 12.12.11
by wpadmin
Blog

Why is a PCI Compliant Environment So Expensive?

Because it’s worth it. It’s the one that really helps an executive sleep at night.

We’ve done HIPAA, SAS 70, SSAE 16, SOC 1/SOC 3 audits, but PCI DSS does the deepest dive, by far. PCI includes source code reviews, requires custom penetration testing and well-documented procedures, policies and change management processes.

PCI is also very prescriptive about the technology you must deploy, compared to other compliance standards. For example, HIPAA requires you to logically secure data, but it doesn’t specifically state the use of a firewall. The PCI audit specifically states that you must use a firewall and numerous other technologies to logically protect cardholder data. It’s those prescriptive solutions that drive up the cost of passing an audit. Here’s an explanation of Web Access Firewall (WAF) and the Annual Penetration Testing:

  • Web Access Firewall – This is a piece of software that watches the web activity to and from your website in order to prevent nefarious activity. This software actually looks at the web page, not the network traffic, and does pattern matching to make sure credit card numbers are not displayed etc. Deploying a WAF requires someone familiar with both the PCI rules and your application. That person then writes a configuration that tells the WAF how to examine the application’s web pages to check for sensitive credit cardholder data. Every time the programmers make a change to the application, the WAF configuration has to be updated. It’s an expensive tool that requires an expert to use. It can cost thousands to tens of thousands of dollars per year to license and maintain the technology for a PCI application.
  • Annual Penetration Testing – PCI requires an internal and external penetration test each year, and after any major change to the application. These tests use both technology and manual review of the application source code to assure there are no threats to sensitive cardholder data.The technology consists of a scanner that examines the ports and attempts various attacks such as SQL injection on the application. Similar to WAF, the scanner has to be custom-configured based on the application. The external test is designed from outside the network.  The internal test is done from inside the network, which is where a hacker may be attacking your application.

PCI also requires file integrity monitoring to ensure configuration files are not nefariously modified, SSL certificates to secure web traffic and dual-factor authentication for administrators. All of these technologies require staff to research, select, install, configure, monitor and maintain the increasing TCO (Total Cost of Ownership) of PCI.

But it’s worth it. In today’s world, data is your business. You can’t operate without it, so we welcome the protections prescribed by PCI regulations in order to provide PCI compliant hosting.

PCI also requires a robust and complete suite of documentation, procedures, policies and change management which further increase the TCO. But that’s for another blog entry…

  • This field is for validation purposes and should be left unchanged.