What's the Industry Cost of PCI Compliance?
A few weeks ago, as part of an article about Hannaford's recent card data breach, I blogged about my 'guestimate' of the cost of PCI compliance across the industry. I said: "Seems like somewhere between US$100 million and US$1 billion?" and asked for reactions. No one reacted - so maybe everyone agreed with my estimate?
Tonight at dinner with some sophisticated, experienced players actively involved in the business of PCI compliance, I posed the same question. After chewing on it a while (it takes a few minutes to comprehend the magnitude of the question!), they settled in on the figure of US$2 billion - to me a pretty staggering sum! Does spending of that magnitude significantly change the economics of card acceptance for merchants?
PCI Compliance, as currently structured, is the tip of the iceberg in transforming the ways that merchants deal with credit cards. Only big security firms can afford the costs of becoming PCI Qualified Assessors.
The only way that the standard can go is to get progressively tighter, and to migrate the certified assessments to smaller and smaller companies. The net effect of this is to dramatically increase costs of dealing with credit cards.
What I think will happen is the following - many merchants will reassess the "collect all data at any cost" mindset. In particular, with credit cards and other high-liability data elements, they will seek to become transit points, passing the data through to a major processor and never handling or retaining it themselves.
Some of the retailers are already complaining about the requirements to keep card data (see NRF for example) that brings them under PCI. They get this.
Net net, smaller processors will be driven out of business, card acceptors will pass through transactions to a major acquirer, and life will go on. Until changes to interchange, that is......
Posted by: Frank J | May 15, 2008 at 08:51 AM