By Drew Simons, President, Roxville Technology
Most MSPs are aware of the magnitude of the PCI compliance opportunity. More than 20 million global businesses accept credit card transactions, with half of those companies located in the United States—and all of them subject to PCI DSS regulations. It could represent a watershed of opportunity for related services. Consider what’s at stake:
A recent Ponemon study estimated the average cost to US companies for a single compromised record in 2017 to be $225, and breaches can involve hundreds of records. Fines for non-compliance run anywhere from $100 up to $1.5 million per violation, and levees from major payment card companies range from $5,000 to $100,000 per month. The risks are enormous and, if improperly managed, can devastate any business, especially in the SMB market.
Many companies are also rushing to implement compliance safeguards to protect against larger cyber security threats, particularly in light of recent compromises on the part of Equifax and Deloitte, for example, and going back as far as the Target and Home Depot fiascos.
For instance, a long-time client of ours—a mid-size hospitality organization with a network of nearly 200 users—recently approached our MSP practice. They realized that if major corporations are faltering on this front, that it’s not only wise but imperative to become PCI compliant. Bearing in mind the latest breaches in the market, the company proactively pursued cyber security insurance, and PCI compliance was among the mandatory conditions of that.
‘Not Your Wheelhouse’ Doesn’t Mean ‘Over Your Head’
We were asked to quickly find a way to address the client’s request, despite having no current PCI compliance program in place—that, or risk surrendering a portion of their business to a third party. As most MSPs would attest, PCI compliance is an extremely complex discipline. Companies must address hundreds of detailed questions based on numerous statutes and sub-statutes.
Many of these questions focus on the company’s network infrastructure. However, the regulations aren’t limited to technology. They extend to the procedural and policy-oriented workings of the organization. E.g., the mandates consider physical access to rooms that store sensitive information, such as server closets or filing areas. They involve how and when information is displayed on monitors or sign-in rosters. They consider what facility doors are locked during what periods.
The act of gathering, analyzing, and documenting this great volume of technological and physical data is overwhelming for the average MSP, taking days and sometimes weeks. It makes a PCI compliance offering prohibitive for many solution providers, exempting them from the opportunity.
The Power of IT Assessment
MSPs can address this challenge by leveraging IT assessment tools, which automate and simplify the unwieldy PCI compliance process, gathering data from the customer’s network, in addition to their physical security and data storage policies. Cost-effective assessment tools can automatically and comprehensively analyze this information, producing organized reports specifically designed to satisfy the exhaustive PCI DSS regulations.
An effective PCI compliance tool is ideally non-invasive and easy to deploy, so the MSP can produce the necessary documentation in a single client visit, as opposed to days or weeks. Solutions such as the RapidFire Tools Network Detective IT assessment solutions, for example, include a dedicated PCI module. Versatile solutions such as this also allow MSPs to manually incorporate information on the company’s policies and procedures, in addition to conducting granular scans of the network and its associated devices. The ability to accommodate both types of information on a single platform makes PCI compliance substantially less time and labor intensive.
Once an MSP invests in automated compliance tools, they can offer assessment services across a range of customers, delivering “Compliance as a Service” either as a value-added offering or a paid asset. Even when a scan is offered as a no-cost “loss-leader,” the vulnerabilities it reveals often leads to remediation projects, if not to long-term contracts for ongoing, quarterly assessments.
Solidifying Reputations, Advancing Revenue Streams
Although PCI compliance is a daunting topic for any MSP, the returns of an effective offering can be lucrative. Not only does such a program open new revenue streams, but the MSP can save their clients thousands of dollars in violation fees—if not altogether rescuing them from the business repercussions of a data breach. Such an offering can only solidify the MSP’s position as a trusted and entrenched IT advisor.
Now is an opportune time to deliver effective PCI compliance checks, in order to gain benefits as an MSP, and to help your end-customers mitigate risks through a careful thought-out and executed plan. Technology can guide the way, yet in very real human terms, by pinpointing vulnerabilities and supporting overall solutions development that incorporate both the physical and technological elements of compliance.
Pressure is on to protect businesses everywhere, so be proactive about getting your foot in the PCI compliance door. Otherwise, you run your own risk of competitors ushering you aside.
Drew Simons is president of Roxville Technology, Toronto, Canada. The company offers a cyber security practice that provides installation, configuration, support and monitoring of unified threat management firewalls, end point security, and backup; including via its own datacenter.