In my discussions with retail organisations recently I came to the conclusion that many are spending two or even three times more than they need to on PCI DSS IT Security implementations.

Typically, once the networks have been scoped down as far as possible by network segmentation, and cardholder data removed from as many places as possible, the most challenging pieces left are those to meet Requirements 10 and 11 around Log Management and Intrusion Detection.

The costs of these elements built using traditional solutions would be made up of three upfront cost elements - 1. a system for Log Management, 2. a system for Intrusion Detection (IDS), and 3. the implementation project – and two recurring cost elements – 1. the maintenance to look after the resulting infrastructure, and 2. the monitoring costs.

In every properly costed analysis we have seen, the largest component is the cost of monitoring the output of the Log and IDS systems to ensure value is extracted from collecting the information. This Security Operations Centre (SOC) team needs to include highly specialised skills, ideally available 24/7 but at least reviewing outputs on a daily basis. For a medium sized implementation, this could amount to one full time equivalent (remembering this is little more than 4 hours per day once holidays and weekends are included). Add to this the costs for the SOC team to have periodic training to maintain competence and deal with staff churn. The implementation project team costs can also spiral as problems of implementation complexity arise.

At Virtuous we are working to provide PCI compliant capabilities with as little impact as possible to an organisation’s delivery and operations. Our approach reduces or eliminates the need for a 24x7 SOC through the use of AlertLogic’s  Software as a Service (SaaS) appliance for Vulnerability Scanning, Intrusion Detection and Log Collection, storage and analysis. We even provide an IDS monitoring and Log Review service where the Alert Logic SOC team provide the 24/7/365 monitoring to meet the PCI IDS monitoring and Daily Log Reviews requirements.

The SaaS approach virtually eliminates implementation complexity, and the managed service eliminates customer monitoring and management effort. With zero CAPEX and much reduced OPEX through a monthly fee, the cost typically shows a 50-70% saving over the more typical, in-house deployments.