Data Breach Cost Numbers Games

Over the last few weeks, one of the most common questions we're hearing discussed is "Is PCI really worth it?" These are multi-billion-dollar retail chains asking this heretical question. But there's a lot more behind the question than it might initially seem.

In a marked contrast to the same kinds of questions two years ago, the intent is not to ignore security. Indeed, many of the chains are already putting in place security procedures that go well beyond current PCI requirements. This issue isn't one of safety or security. It's a simple CFO's ROI balance sheet, contrasting the bureaucratic and paperwork costs of dealing with the very formal PCI procedure with the limited fines and other bad things that will happen if a chain suddenly stops pursuing PCI compliance.

In an odd way, Visa and PCI have been trying to strengthen PCI's reputation by declaring that no breached retailer was ever found to be PCI compliant. But a campaign designed to strengthen PCI has actually served to undermine it.

One of the original attractions to the program was an implied form of safe harbor. It was an unspoken implication that an official PCI certification would be seen as a proof point that the retailer maintained high security levels, sort of like toothpaste that says accepted by the American Dental Association. (Come to think of it, those guys don't seem too picky. When was the last time you saw a tube of toothpaste that was not ADA accepted?) Maybe Underwriter's Laboratory or AAA member is a better example. Maybe the Good Housekeeping Seal of Approval?

But now that PCI and Visa have made a habit of finding some reason to conclude that anyone who has been breached and had been certified as PCI compliant was never really compliant, that declaration doesn't seem to be worth much.

It's not politically acceptable to step out of the program, but many retailers are crunching the numbers and seriously thinking about it. The ultimate threat that a non-compliant chain could lose its ability to accept payment cards is ridiculous. Such a move would hurt the card brands more than it would likely hurt the chain. The chains could offer their own card program or cut a deal with any one of the many alternative payment companies. As a practical matter, the threat of taking the cards away from large chains isn't credible.

A report released this month from Ponemon tried to quantify the cost of breaches today, but its conclusions are rather underwhelming. "The average organizational cost of a data breach increased nearly 2 percent, from $6.65 million in our 2008 study to $6.75 million in 2009," the report said. "The average cost per compromised record rose only $2, from $202 to $204."

The problem with these details is that are they based on surveys. First, good security managers never discuss specific details. This fact raises questions about who was actually answering these questions and how close they were to the data. Second, what did those surveyed consider to be part of compromised data costs? Is there any reason to have confidence that all of those surveyed used the identical criteria? If not, those small differences mean nothing.

Even if we assume those numbers are somehow accurate, what practical value does that have? Data breach costs increasing 2 percent could reflect price increases or it might be that executives now know better what needs to be done. Don't forget that breaches don't cost anything until they're discovered. How do you factor in the improved abilities of cyberthieves to hide their actions longer?