Would You Rather Build or Buy PCI Compliance?
Businesses that process credit cards have a requirement to comply with regulatory mandates such as the Payment Card Industry Data Security Standard (PCI-DSS). PCI-DSS is a standard established by the PCI Security Standards Council, a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.
Why this requirement? Industry data suggests that over 80% of all websites are vulnerable to hackers and other attacks. The goal of PCI-DSS is to reduce this number dramatically.
What more, there are harsh consequences for non-compliant businesses that suffer a hack or data breach, which typically include:
- Merchant responsible to repay issuing banks for all fraudulent charges attributable to the breach.
- Merchant must pay for the (expensive) forensics investigation to determine how the breach occurred and how many credit cards were compromised.
- Acquiring banks will fine card issuers thousands of dollars, who will pass on these fines to the merchant, who will add on additional fines of their own.
- Time and cost for merchant to deploy new, secure technology and processes.
- Loss of revenue and customers due to the harm a data breach does to a merchant’s reputation.
For most eCommerce operations, building an internal fraud prevention solution that is PCI compliant will be more expensive, require more time, and necessitate more headcount than buying PCI-compliant fraud-prevention capabilities from a 3rd party provider. That said, there are specific scenarios where the in-house, build approach can make economic and operational sense:
- Huge operation and transaction volumes (+$500 million/year)
- Access to unique data
- One-of-a-kind transactions or customers
Nonetheless, as online businesses weigh the costs and benefits of building an in-house antifraud capability, the cost, time and headcount impact of PCI compliance must be factored into any decision.
A Gartner report (2007) estimated that large merchants processing more than 6 million transactions of a single card type per year will spend a total of nearly $700,000 assessing what is required to become PCI compliant and then meeting those requirements. A more recent study in the UK (2010) found that many organizations spent nearly $7 million on PCI compliance.
What is behind these rather significant costs? There are 13 steps or requirements involved in becoming PCI compliant, all of which entail substantial IT, technology, and personnel costs to develop and maintain:
- Self-Assessment Questionnaire. Over 84% of all merchants fail their first PCI scan.
- Firewall Configuration. Minimum acceptable configuration standards; prohibited access standards; firewall for remote or mobile sessions; etc.
- System Passwords. Unique, non-vendor supplied passwords; configuration standards meet best practices; browser and web-based management tools encrypted; etc.
- Data Protection. Data retention policy meets business, legal, and regulatory requirements; reviewed regularly by counsel; primary account numbers masked; cryptographic keys protected; etc.
- Communications via unsecured networks are encrypted; WEP avoided; PANs or card data never sent via email or instant messaging; etc.
- Antivirus Software. All platforms—mobile, desktops, servers, etc.—protected; licenses must be up-to-date; patches implemented; logs secured; etc.
- Secure Systems & Applications. Both in-house and outsourced systems and applications kept up to date; security patches current; regular audits to detect vulnerabilities; etc.
- Restrict Access. Strong internal access controls; data restricted to individuals with a need-to-know; automatic denial of unauthorized requests for access; etc.
- Unique User IDs. Anyone accessing cardholder data must have a unique ID; stored passwords encrypted; two-factor authentication for remote access; etc.
- Controlled Physical Access. Strong security and tracking of visitors, employees, and vendors; reporting of all access events; secured backups; etc.
- Track and Monitor Access. Access linked to unique user IDs; track user identification by activities, date, time, origination, etc.; system clock synchronization; secure audit trails; etc.
- Systematic Testing. Periodic vulnerability scans; all wireless access points identified; penetration testing; network intrusion detection and testing; etc.
- Maintain a Policy. Security policy and procedures documented; usage policies documented; designated security staff; employee and provider screening; etc.
On the other hand, online businesses who buy enterprise-class fraud prevention from an outside provider can typically avoid the complexity and cost associated with PCI compliance, as they are absorbed by the third party. For this reason, the overwhelming majority of eCommerce operations will experience lower costs and maximum ROI by choosing a buy approach:
- Reduced upfront and recurring costs
- Less time required to implement and maintain
- Reduced headcount and personnel costs
- Simpler security and compliance
Discover more about the pros and cons of building an in-house, anti-fraud system versus buying an outsourced, third-party solution. Download the white paper “Buy Versus Build: A Discussion for Implementing a Fraud Management Solution.”