PCI DSS Compliance: DIY vs. Outsourcing
Many merchants find themselves stuck firmly in "park" when it comes to Payment Card Industry Data Security Standard (PCI DSS) compliance. They're not sure how to get started - and whether to tackle the work themselves or outsource it.
Pros and Cons
To be sure, both approaches have their own benefits and drawbacks:
Insourcing: PCI DSS compliance often involves some commonsense data and network security precautions. Yet, taking it on as a do-it-yourself project has its hazards, too. Currently, Level 4 merchants account for over 90 percent of retail breaches within the restaurant industry. Why? Hackers know that many of these smaller merchants choose to simply ignore the mandate or attempt to piece-meal together a PCI compliance plan by themselves.
Outsourcing: Utilizing a contractor who understands small business compliance needs can help ensure faster completion and cut down on compliance costs. Yet, contracting out too much - or going with the wrong vendors - can result in cost overruns and even expose you to unnecessary risk.
The key to choosing DIY or outsourcing for PCI DSS compliance is understanding your options - and then choosing the compliance solutions that work best for your company:
- Handle it yourself. Smaller companies with a limited number of transactions per year may be able to manage compliance on their own simply by completing a Self-Assessment Questionnaire (SAQ). To find out more, visit https://www.pcisecuritystandards.org/merchants/self_assessment_form.php.
- Outsource to a QSA. For a completely outsourced solution, you might consider using a Qualified Security Assessor (QSA) - a trained security professional who can help you complete the SAQ and implement the proper compliance measures. The PCI Data Security Council maintains a list of approved QSAs at https://www.pcisecurityst (although you are not obligated to use anyone from this list).
- Train from within. Larger companies that wish to conduct their own PCI compliance testing can send an employee through the PCI Data Security Council's training program to become an Internal Security Assessor (ISA). Once trained, ISAs can perform company-wide security audits, allowing businesses to write their own PCI compliance certification.
A Better Way
In all likelihood, the best solution for PCI DSS compliance may be a mixed approach - outsourcing some needs while doing the legwork yourself on others. For example, you may be able to install a secure network firewall and encrypting cardholder data stored on your computers and servers. Then, you could turn to an outside provider for vulnerability scans and network penetration tests (scanning is only required for Validation Type 4 and 5, or those merchants with external-facing IP addresses).
But whichever route you choose, compliance will need to be an ongoing effort. Requirements change so merchants must be agile to stay on top of regulations - and ahead of fraud.
PNC Merchant Services® is dedicated to providing you with the best means to secure your business from outside threats. Contact us to learn more about the PCI DSS validation services you can choose from by calling 800-742-5030.