On January 25th, we released our latest paper, the Impact of PCI-Validated P2PE, authored by our P2PE QSA Coalfire.® During the past few weeks, we have discussed the first two major sections of the white paper, The Role of P2PE, EMV and Tokenization in Securing Payments and The Differences between PCI-Validated P2PE and Non-Validated P2PE Solutions.
This week we discuss the last major section, The Return on Investment (ROI) and Total Cost of Ownership (TCO) of a PCI-Validated P2PE Solution.
The white paper can be downloaded in its entirety or via these 3 sections on our Resources page.
Total Cost of Ownership (TCO)
TCO analysis is a means of calculating the costs of an asset, service, or initiative over its lifespan. Originally, TCO was used for the evaluation of asset purchases, but the application of this concept has been extended to intangible assets and services as well, allowing comparison of dissimilar solutions to the same problem (e.g., buying a widget vs. using a service to perform the widget’s function).
While TCO formulas may vary depending on the solution being reviewed, an effective calculation must include all visible costs directly related to the project, as well as a reasonable and consistent measure of hidden or indirect costs.
- Common visible costs include the acquisition cost, setup cost, operating cost, maintenance cost, security cost, regulatory cost, repair cost, disposal cost, financing cost, and depreciation savings.
- Hidden costs may include opportunity cost, cost of impact to corporate culture or processes, or other costs associated with business risk such as downtime or weighted costs due to impact of new risks.
Return on Investment (ROI)
An alternate approach is to perform an ROI analysis. The ROI (also known as Rate of Return or ROR) is an expected gain that may be realized through the investment over a specific time period and is expressed as a net gain (or loss) associated with a project over the designated period of time.
Important Note on Security vs. PCI Compliance
PCI DSS is a compliance framework that is designed to protect only the credit card account data that a merchant may encounter. It is not a security standard, per se, as the controls dictated by PCI are a bare minimum necessary to protect one sensitive data type. However, many of the controls required under PCI can also be necessary to support an organization’s overall security program.
One of the remaining requirements for PCI DSS v3.2 (even for merchants who use a PCI P2PE solution and qualify to complete the vastly reduced SAQ P2PE) is to conduct annual risk assessments to identify assets, threats, vulnerabilities, risks, and impact (Requirement 12.2). This exercise is imperative to inform security-related decisions, including the use of security controls to protect other sources of cyber risk, such as protecting confidentiality of personally identifiable information (PII), patient health information (PHI), intellectual property (IP), or ensuring the availability of critical business services.
Sample TCO and ROI Analysis for PCI P2PE Solutions
To illustrate the process of reviewing the cost impact for PCI P2PE, the ROI and TCO analysis in our white paper considers a hypothetical small merchant with eight mobile sales representatives, a retail storefront office with a point-of-sale, a dozen or so non-payment related workstations, and WiFi.
For simplicity, we assume that the merchant does not develop custom software or store cardholder data electronically or physically. In the paper, the hypothetical merchant has identified their costs to implement a P2PE solution with eight mobile and two countertop devices, including initial setup costs, recurring costs, program investment, and ongoing compliance costs.
The paper contains two very detailed tables calculating the following.
- Sample P2PE Investment (by the merchant)
- Sample Compliance Costs with and without P2PE
In summary, the findings on TCO and ROI for PCI P2PE and the Current Solution (without P2PE or with non-validated P2PE), assuming a 10-year lifespan, are:
- TCO of Current Solution: $300,400
- TCO of PCI P2PE: $193,350
- PCI P2PE Return: $114,250
- PCI P2PE ROI: 1,487%
Please download Section 3 for the full detail and calculations.
We hope you have enjoyed our informational blogs on our new white paper, The Impact of PCI P2PE. Please contact us directly with any questions or if you are interested in learning more about our PCI-validated P2PE solutions.