Merchant Services
DIY vs Outsourcing

PCI DSS Compliance: DIY vs. Outsourcing

Many merchants find themselves stuck firmly in "park" when it comes to Payment Card Industry Data Security Standard (PCI DSS) compliance. They're not sure how to get started - and whether to tackle the work themselves or outsource it.

Pros and Cons
To be sure, both approaches have their own benefits and drawbacks:

Insourcing: PCI DSS compliance often involves some commonsense data and network security precautions. Yet, taking it on as a do-it-yourself project has its hazards, too. Currently, Level 4 merchants account for over 90 percent of retail breaches within the restaurant industry. Why? Hackers know that many of these smaller merchants choose to simply ignore the mandate or attempt to piece-meal together a PCI compliance plan by themselves.

Outsourcing: Utilizing a contractor who understands small business compliance needs can help ensure faster completion and cut down on compliance costs. Yet, contracting out too much - or going with the wrong vendors - can result in cost overruns and even expose you to unnecessary risk.

The key to choosing DIY or outsourcing for PCI DSS compliance is understanding your options - and then choosing the compliance solutions that work best for your company:

  1. Handle it yourself. Smaller companies with a limited number of transactions per year may be able to manage compliance on their own simply by completing a Self-Assessment Questionnaire (SAQ). To find out more, visit
  2. Outsource to a QSA. For a completely outsourced solution, you might consider using a Qualified Security Assessor (QSA) - a trained security professional who can help you complete the SAQ and implement the proper compliance measures. The PCI Data Security Council maintains a list of approved QSAs at https://www.pcisecurityst (although you are not obligated to use anyone from this list).
  3. Train from within. Larger companies that wish to conduct their own PCI compliance testing can send an employee through the PCI Data Security Council's training program to become an Internal Security Assessor (ISA). Once trained, ISAs can perform company-wide security audits, allowing businesses to write their own PCI compliance certification.

A Better Way
In all likelihood, the best solution for PCI DSS compliance may be a mixed approach - outsourcing some needs while doing the legwork yourself on others. For example, you may be able to install a secure network firewall and encrypting cardholder data stored on your computers and servers. Then, you could turn to an outside provider for vulnerability scans and network penetration tests (scanning is only required for Validation Type 4 and 5, or those merchants with external-facing IP addresses).

But whichever route you choose, compliance will need to be an ongoing effort. Requirements change so merchants must be agile to stay on top of regulations - and ahead of fraud.

PNC Merchant Services is dedicated to providing you with the best means to secure your business from outside threats. Contact us to learn more about the PCI DSS validation services you can choose from by calling 800-742-5030.


PNC is a registered mark of The PNC Financial Services Group, Inc.("PNC")

PNC Merchant Services provided by PNC Merchant Services Company and are subject to credit approval. PNC Merchant Services is a registered trademark of The PNC Financial Services Group, Inc.

This Merchant Business Insights e-Newsletter is designed to provide useful and practical information for merchants accepting card transactions. It is not intended to be legal, tax, accounting or financial advice, nor should it be substituted for a full and regular review of the Association Rules and any changes thereto. Internet sites provided in this e-Newsletter are provided as a convenience to our readers. While PNC Merchant Services endeavors to provide resources that are reputable and safe, we are not responsible for the information, products, or services obtained on such sites.