Explaining the cost of compliance

As a CTO responsible for adhering to the PCI Data Security Standard, I often found myself explaining the cost of compliance to the CFO. So when an article about how credit card data is a cancer popped up in one of my searches, it naturally caught my eye.

The analogy from security blogger Martin McKeay is good up to a point. Credit card data is cancer-like in the sense that it endangers the health of the company and has a way of spreading and mutating despite a lot of effort to contain it. Audits are like x-rays and breaches are like stages of cancer, the most severe being terminal. It’s a useful analogy if you’re trying to justify the expense of certain protections and countermeasures.

However, the analogy loses its fit in a couple of key areas.

  1. First, cancer is something you generally try to eradicate. Many of the companies that use credit card data have a legitimate need and eradication is not an option (unless you consider tokenization to be a form of eradication).
  2. Second, nobody wants cancer, but there are plenty of criminals that would like to have credit card data. Preventing the data from spreading is only one side of the issue. You also have to prevent malicious hackers from getting the data.

Still, I appreciate where McKeay was coming from. There’s merit to thinking about credit card data as a disease that needs to be quarantined and controlled. The analogy worked well with our CFO, up to a point! Perhaps candy is a better analogy, as one of McKeay’s commenters posted.

The field of information security is complex and flooded with terminology that is unfamiliar to most. Also, many of the expenses of PCI compliance are matters of degree. “We can reduce risk by investing in software XYZ.” In this setting, it’s critical to gain mutual understanding with your CFO and a handy analogy is a great first step.


Leave a Reply

Your email address will not be published. Required fields are marked *