In IHL’s latest research EMV: Retail’s $35 Billion “Money Pit”, one of the conclusions in the study is that the failure of the PCI process to stop data breaches has been primarily due to the heavy cost it takes for retailers to become PCI compliant.  As a result, what was meant as an ongoing process can only be approached as an event for almost all retailers.  How much of the budget is taken by PCI?

Cost of PCI as Percentage of Data Security Budget

In our research, we found that on average 14.1% of the IT Budget for 2015 was set aside for Data Security of all types in the retailers.  This amounts to $10.6 Billion in North America.  Of that on average 37.7% or $4 Billion of that is used for PCI Compliance.  When we look at the segments, we see that the Food/Drug, Convenience, and Mass Merchants spend over 55% of their Data Security budget just trying to become PCI Compliant.  Yet, according to Verizon’s Data Breach Investigation Report, 92% of the major retail credit card data breach victims of the last 15 months were PCI compliant with their audit within 8 months of the beginning of their breach.

This is just one of the data points discussed in the study EMV: Retail’s $35 Billion “Money Pit”.  EMV is not any more the answer to data security for retailers as PCI was.  Instead it is a huge tax on most retailers who will never see a positive ROI.  For more information on this, please see more information about the study here.