PCI DSS: The thrills, perils and costs of DIY compliance


17 May 2018

Card payment fraud is rising - and merchants need to safeguard the way they process, store and transmit cardholder data. But should PCI DSS compliance be something you tackle on your own?

We live in a data-sharing, give-away culture today, from free apps to open source software. With the right tools and a few clicks, many business processes can be templated, streamlined and automated with ease. Taking the DIY approach has never been simpler.

But what about achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS)? Should you look for a specialist partner to secure sensitive card information or is this something you can handle yourself?

What's the cost of going it alone?
Many businesses say 'Yes' to the DIY route with PCI DSS. And in a sense, anything is possible if you throw enough resources in the right direction. But how many pounds do you want to channel into compliance? And how much of your life do you want to devote to the task?

Let's start counting the cost of going DIY. But before we set off, it's important to realize that this isn't something you can tackle in a single workshop - or in isolation. In fact, you'll need the buy-in and involvement of your colleagues in IT, security, compliance/governance, HR and your contact center for years to come. No-one can opt out, which requires support from top executives, and you won't win any popularity contests.

PCI DSS compliance is a journey.

Step 1: Assess the risk
How do you receive payments? Over the phone, web, mobile apps and maybe chat channels too? As soon as cardholder data enters your contact center environment, you'll be a target for criminals. So map out exactly how you process, store and transmit any sensitive data. You'll need to lock down every system it touches.

Vulnerabilities will quickly become apparent. You'll need a secure encrypted network and systems, strong access controls and stringent monitoring. The human aspect can be complex too. An armful of management policy documents and some training can help, but ultimately you need to block rogue contact center agents at every turn. Phones, other recording devices, even paper and pens must be kept away from where calls are received. Having 'clean rooms' and using thoroughly-vetted staff only for payment-taking duties can also strengthen your defenses. Of course, the cost of all this security can be shockingly high.

Step 2: Achieve compliance
Merchants and payment service providers fit into different compliance levels, depending on how many credit card transactions they handle. You'll then need to attest your PCI DSS compliance by filling in a questionnaire, submit documents and carry out any remedial action.

If you process over six million card transactions per year, then you'll require Level One PCI DSS compliance - which means you'll need a Qualified Security Assessor (QSA) to check whether you make the grade. Other organizations complete a PCI DSS Self-Assessment Questionnaire (SAQ). Ticking boxes can seem simple and relatively inexpensive, but committing to compliance puts a huge weight of responsibility on you.

Step 3: Keep going ... and going
Achieving compliance is a bit like starting a new relationship. You've raised your game and won the first date: now you have to keep the charm working - and not revert back to old habits. With PCI DSS, that means maintaining compliance every second of every day, with the threat of fines, lost business and brand damage hanging over you if things go wrong.

This is probably the toughest aspect of PCI DSS compliance. Standards can slip alarmingly fast. In fact, Verizon's 2015 PCI Compliance report found that fewer than one third of companies were found to be still fully compliant less than a year after gaining validation.

Maintaining PCI DSS compliance will place a significant cost burden on your company and could also take away valuable resources from the projects that matter most to your business performance. It can also constrain your business processes and make you less flexible and adaptable.

Where are the 'thrills' you suggested in the headline?
There's certainly a sense of satisfaction to achieving PCI DSS compliance, but this is fleeting because it needs to be kept up continually. If anything, the 'thrill' is being kept on the edge of your seat, wondering if your PCI DSS compliance will hold out for another day. It's more chill than thrill.

Help, I'm getting in too deep!
Are you on the DIY journey and you want a safer, cost-effective alternative? Download your free copy of our definitive guide to PCI DSS. You'll discover everything you wanted to know about secure payments but were too afraid to ask.

If you're not convinced by PCI DSS compliance then read our jargon-free guide which explains the rise in CNP crime in contact centers, where you're vulnerable and what you can do to combat the threat.

If you'd like to know more about PCI DSS compliance and secure payments then give us a call on 866 258 9297 or email tellmemoreUS@eckoh.com