The Payment Card Industry Data Security Standard (PCI DSS) version 2.0, released near the end of 2010, marked the beginning of a stabilization period; no new updates are expected for three years.
In the past, an update to the standard sometimes led to additional product and service sales for security-oriented solution providers. With no new updates planned until 2013, some question if solution providers will still be able to continue to capitalize on PCI compliance, or if IT spending on security technologies will be driven by other factors.
Recent history: PCI compliance standards
The PCI Security Standards Council (PCI SSC) released version 2.0 of the PCI DSS in October 2010. Since the first PCI DSS standard was released in 2006, the stabilization period for the standard has normally been two years. But this time, the council has set a three-year stabilization period, giving the various parties involved (retailers, merchants, banks, card brands and vendors) more time to work through the updates in version 2.0.
Compliance projects expected to continue
Despite the lengthened period without a planned update, solution providers contacted for this article were confident their PCI-related projects would continue, albeit with a slight drop-off in sales by the third year.
It’s not the external mandate of the PCI council, but more of a business change that is driving ongoing PCI-related engagements.
Altius Information Technologies Inc.
For Altius Information Technologies Inc., a consulting firm specializing in risk management, assessment, audit and information security services in Costa Mesa Calif., customers reach out for PCI DSS compliance assistance based on the timing of a business need, rather than the timing of the standard itself.
“It’s not the external mandate of the PCI council, but more of a business change that is driving ongoing PCI engagements,” said Jim Kelton, managing principal of Altius. Kelton listed increased transaction volume or the decision to create a new division as just some of the reasons an organization may move forward at any time with PCI compliance.
Merchants and other organizations who handle secure cardholder data were required to be in compliance with the new standard by Jan. 1, 2011, but not all did so. Richard E. Mackey, vice president of consulting at Sudbury Mass.-based SystemsExperts Corp., noted, “Our experience tells us that many organizations have yet to really achieve compliance. Continued pressure by acquirers will force many of these organizations to bite the bullet and do what it takes to pass an assessment.”
Diana Kelley, principal analyst at SecurityCurve, an IT research and consulting firm in Amherst, N.H., provided perspective from the analyst community. Kelley believes that changing the PCI DSS revision cycle from 2 years to 3 years should not, in itself, significantly change PCI spending, but concedes that customer spending on compliance can be relatively high at first, and then level off.
"As companies improve their cardholder data environment (CDE) protection programs and implement solutions to reduce the size of their CDE and audit scope, it's reasonable to forecast that year-over-year spending on PCI will stabilize," Kelly said.
With so many reasons for an organization to start or ramp up their PCI compliance activities, no matter when the last standard was announced or how long it will be stable, solution providers should not expect a significant decline in PCI projects. Customers will continue to need solution providers to conduct, or to help them prepare for, PCI audits, assessments and reporting.
“Organizations in the business of helping other organizations become compliant and assessing compliance will have plenty of work to do for the foreseeable future,” Mackey concluded.