The Ponemon Institute conducted a research study about the upcoming version of the Payment Card Industry Data Security Standards (PCI DSS), a new set of standards expected to be released in October 2010 by the PCI Security Standards Council.
Based on surveys with 155 Qualified Security Assessors (QSAs), the following trends and key findings were identified:
1. Encryption is one of the most effective means for achieving compliance but questions arise on how to treat encrypted data in audits. It is believed that clarifications will be issued on the use of encryption and key management.
2. 41% of those surveyed believed tokenization will be included in the update as the technology to use to increase cardholder data security and reduce cost of compliance.
3. Tier 1 merchants are paying $122,000 more on average than Tier 2 merchants to do the same QSA assessments.
The survey was designed to focus on identifying trends, recommendations and preferences of QSAs involved in PCI DSS compliance. Specifically, the survey questions focused on the background, experience, client observations, expected changes in PCI DSS, preferences on how to achieve compliance, and typical client recommendations.
In addition to clarification about encryption and key management, the survey revealed that QSAs expect tokenization to be the new technology most likely included in the PCI DSS update. In 2009, The PCI Security Council commissioned a PricewaterhouseCoopers study to examine whether four emerging technologies showed potential to enhance data security and reduce compliance costs: tokenization, end-to-end encryption, virtual terminals and card management solutions.
The research also revealed that on average, Tier 1 merchants pay about $122,000 more than Tier 2 merchants for QSA assessments. As uncovered in the previously issued QSA Insights Report, the average cost of an annual QSA audit—the fees paid to QSAs for assessment services—for Tier 1 merchants is about $225,000. The complete research results reveal that an annual assessment for Tier 2 merchants averages $103,000 and for Tier 1 service providers, such as large payment processors, the average cost of an annual on-site QSA assessment is $204,000.