Part III: The Number One Strategy to Reduce the Cost of PCI Compliance

In Part I of our three-part PCI compliance blog series, you found out just how risky ecommerce security is these days. In Part II, we highlighted the complexities and costliness of PCI compliance. In this third and final installment, discover how you can reduce your PCI scope and costs while ensuring compliance.

PCI Series — Part I

PCI Series — Part II

The absolute best way to reduce PCI compliance costs is to reduce the size of your Cardholder Data Environment (CDE). In turn, you’ll be able to reduce the “scope” of your PCI assessment. Simply put, if your business can isolate credit card data from the rest of your business processes and networks, then you’ll have fewer areas to certify in your PCI audit. What’s more, the road to PCI compliance will be more efficient and cost-effective.

As discussed in Part II, defining CDE has always been tricky. Typically, merchants have focused only on their networks that actually handle credit card data. However, in a “flat” network, many of your systems and databases are interconnected and actually share components that leave them vulnerable to attack.

As we’ve cited in the previous blogs, the Target breach is a good example. Hackers were able to access the payment network by compromising the credentials of a contractor making updates to HVAC software. This unrelated business function was indeed connected to Target’s payment network. More specifically, it was part of Target’s CDE and should have been under the scope of PCI.

Cyber criminals are constantly looking for holes in your network perimeter. Seemingly benign business functions have proven to be an effective way to break in. Many of the changes and clarifications of PCI-DSS 3.0 have been put in place to address exactly this type of vulnerability.

The first step to reduce compliance costs is to perform a rigorous annual assessment of the scope of your CDE, identifying all facets of your business that touch payment data. This all-important scoping then becomes the foundation for your security practices and PCI certifications.

Network Segmentation

Although not specifically required, PCI-DSS highly recommends that merchants use network segmentation as a best practice. Network segmentation isolates payment data from the rest of the business’s network. Examples of segmentation techniques include firewalls and switches with well-defined access control lists, certified point-to-point encryption (P2PE), or even separate/direct connections to the Internet that bypass local networks altogether.

An experienced network engineer can help you assess and implement the most effective segmentation strategy for your business.

If done properly, segmentation:

  • Keeps non-compliant servers and workstations out of the scope;
  • Lowers the cost of the PCI-DSS assessment; and
  • Reduces the overall risk of credit card acceptance to the business.

Unfortunately, segmentation techniques can be very expensive in and of themselves. Besides the networking expertise needed, merchants often will have to upgrade workstations and networks with new hardware and software to meet PCI standards. Additionally, segmentation methods must be verified by a Qualified Security Assessor (QSA) and are subject to penetration testing annually.

Enhanced Service Providers Can Smooth the Way to PCI Compliance

As discussed in our second blog, PCI presents quite a conundrum for merchants trying to balance the benefits of electronic payments with the rising risk and cost of payment security. Many businesses are caught between a rock and a hard place. They must accept credit cards.

However, the intricacies and costs of card security makes it a lose-lose proposition for them. It also forces businesses to take their eye off the ball – and away from value-creating activities such as better customer service. But the complexity of securing card payments is forcing many businesses to become security experts at the expense of focusing on their core competencies.

cost-benefit-of-credit-card-acceptance

So what is a business to do? On the surface, there appears to be no easy or obvious answers. The above graph is illustrative of the push and pull many find their businesses in. Focus on customer service and your security might suffer. Put all of your efforts into compliance and you might find your customers feeling neglected.

Imagine this scenario instead: Your business accepts credit cards. There is no worry about payment security, PCI compliance audits, annual SAQ verification or penetration testing. Customer engagement doesn’t suffer and in fact, is enhanced. The cost and risk associated with payment security and PCI compliance is mitigated. Most importantly, payment security and PCI compliance issues no longer distract you from your core business. Does it seem too good to be true? It’s not.

It’s precisely how things would unfold if you used a reputable Enhanced Service Provider (ESP) to handle all aspects of your electronic payments. What sets an ESP apart from the more traditional singularly focused service providers? In a nutshell, it’s a vendor that specializes in handling each facet of payment acceptance and security. Every payment, including those made via the web, mobile device, text, email, IVR and kiosk, is entered, transmitted, and stored within the service provider’s fully-hosted payment acceptance environment.

Since payment data never interacts with your network, there are no worries about payment security and PCI compliance. The burden is completely removed from your organization. As a result, your PCI footprint or scope is significantly reduced, saving you the time, headaches and money that come with compliance.

Like anything else, no two ESPs are alike. And because you are entrusting them with your payment processes, you’ll want to thoroughly vet them in the selection process. Here are some key considerations when choosing an Enhanced Service Provider:

Breadth and Quality of the Customer Experience
  • For many organizations, the billing and payments process is one of the most visible. In fact, JD Power found that billing and payments self-service features are a significant driver in their customers’ satisfaction. As such, a qualified service provider should provide a unified, seamless and user-friendly suite of electronic billing and payments features across all of your customers’ preferred channels (laptop, mobile apps, website, text message, email, or automated IVR/phone service via credit or debit card or an electronic check). Ensuring your customers’ satisfaction should be paramount for the ESP.
  • Security standards and customer service technology are constantly changing. It can be difficult to keep up for most businesses. A reputable service provider can deftly balance the two, ensuring that their customer’s billing and payments security is up to par; without sacrificing the critical technology features essential to customer relationship management (i.e. integrated notifications, bill reminders, etc.)
  • Your ESP should happily and readily provide proof of their track record, commitment to meeting all of your customers’ billing and payments needs, and the ability to keep pace with the latest electronic billing and payments technologies. Equally important, they must be prepared to take full responsibility for your payment security and PCI compliance.
Proven and Comprehensive Payment Security
  • You wouldn’t allow an inexperienced surgeon to operate on you. Since security and compliance along with customer satisfaction are vital components to your business, the same care needs to be taken when securing an ESP. Look for one with a long, verifiable security and customer service body of work. The proof is in the pudding.
  • Be sure to ask about their own PCI compliance record. It’s pretty difficult to entrust your own security to a service provider if they can’t show proof of compliance or fall short themselves. Start your vetting process by visiting the Visa Global Registry of Service Providers to ensure that they’re Level 1 compliant. If not, move on. Service providers face far more rigorous PCI compliance requirements than a single merchant could ever address on their own. They’re in the business of payments, so security (theirs and yours) is/should be their top priority. They invest large sums of money, implementing the most up-to-date security measures for their customers – you.
  • Get assurance that your customers’ credit card payments never interact directly with your network. They should be 100% transacted and stored on an outside, fully secure payment platform hosted by the service provider. The security burden should be out of your hands and squarely on the shoulders of the service provider.
  • Again, it can’t be said enough – the prospective service provider should be fully confident and comfortable taking full accountability for their services and PCI compliance.

In many ways, using an Enhanced Service Provider is much like having an insurance policy. Your organization is able to alleviate risk and compliance issues by delegating to the ESP. And like an insurance policy, you reduce your costs in the long run by investing in a reputable organization that is there to protect your most valuable asset—your customers.

A qualified service provider is keenly aware of your billing and payments security and compliance issues. They appreciate your need to focus on your business without shortchanging your customers or compromising your security and compliance. It’s why they exist. And like you, they are just as committed to providing you with a secure, compliant full suite of electronic billing and payments solutions and an exceptional experience for your customers, no matter how big or small your business.

John Schott

Vice President

With more than 20 years of experience, John has worked with hundreds of billing organizations across North America. John is an expert in usability and is a frequent speaker on the topic of paperless billing and electronic payment best practices, including strategies for customer adoption, security and compliance, staff productivity, and process and technology optimization.