Just read a couple of articles on StoreFrontBackTalk from earlier in the month.  Both were written by David Taylor (who started PCI Knowledge Base - www.knowpci.com) and both were good articles.  The one from the 10th had this blurb as one of his recommendations for dealing with security/PCI in a tough economy….

Focus on risk reduction, not fine avoidance

Many organizations set their budgets for PCI compliance based on the avoidance of fines. Thousands of CFOs and other financial executives received letters from their acquiring banks in the last three years threatening monthly fines of $25,000 to $50,000 for non-compliance with the PCI standards. These letters drove much of the spending on PCI in 2006, 2007 and 2008.

These fines, however, did not drive “strategy.” They did the opposite. They did not drive risk-based controls. They drove checklist controls. Now that more organizations have achieved basic checklist compliance, through compensating controls or whatever means necessary, it’s time for security professionals to focus on documenting and measuring residual risk, which remains after checklist compliance has been achieved.

We recommend reviewing your ROC or SAQ and identifying 5-10 areas where you know that ongoing risk is high and there is general “fear of the unknown” on the part of management. Wireless is a great example and so is application security. Then quantify the risks, in terms of potential loss, using security breach examples and some quotes from the PCI Knowledge Base or the press.

The goal is to get upper management to appreciate the delta between compliance and security, without making PCI compliance appear to be a waste of money. Quantification of risk is the key to making your case.

StorefrontBacktalk - Surviving IT Security’s Dark Ages.

This is very, very good advice and something that retailers need to understand.  Thanks to David for the articles…