FRAMINGHAM, MA – A new study reveals that merchants who undergo network audits to ensure PCI DSS compliance pay an average of $225,000 each year, with two percent of those failing the audits, Network World reports.
The study, conducted by The Ponemon Institute and sponsored by Thales, surveyed 155 certified QSAs worldwide. While the QSAs reported that the average annual spend was $225,000, they noted that 10 percent of companies pay $500,000 or more annually.
“[T]hat's a large chunk of change to be doing each and every year," remarked Dr. Larry Ponemon, the Institute's founder, adding, “[Sometimes, the annual PCI audit] leads to a better security posture, but not always."
Among the reports notable findings:
- Two percent of businesses fail QSA audits.
- 54 percent of QSAs said that their clients feel PCI DSS is too expensive, while 20 percent said that companies are satisfied with compliance costs.
- 52 percent of QSAs said that companies do not proactively manage data privacy and security, and that “restricting access to cardholder data remains problematic.”
- 60 percent of QSAs said that encryption is the most effective technology that companies use to protect data — despite the industry not having any specific requirements for end-to-end encryption.
- While IT security departments are often in charge of overall security, business managers typically allocate budgets for QSA assessments.
Detailed PCI Compliance information is available here.