PCI Compliance Solution? Be PCI Free
By Susan Kohl, CEO, ThoughtKey, Inc.
PCI is more than just a three-letter acronym that most do not wish to associate with their business environment. It can be your enemy or your ally depending on your business. If you are:1. Vendor benefiting from the profits of providing PCI related solutions = PCI is clearly your ally
2. Payment processor paying the ongoing price tag of maintaining PCI compliance = PCI is your enemy
The most difficult of them all:
3. Merchant who simply struggles to achieve the desired profit = does not even want to think about PCI unless someone forces them to do so
I spend endless hours advising clients on how to “cope with” the onerous PCI standards plus the numerous state data security laws (we will refer to these collectively as “standards” for purposes of this article).
Translating these standards into an implementation plan can be complicated. The solutions and procedures needed are highly dependent on the specific operation and technology environments. Unfortunately, there is not a one size fits all implementation plan!
My PCI Strategic Risk Advisory approach often catches my clients off guard. They engage me to help them implement PCI, the core of my business, but my first objective is to figure out how to eliminate PCI applicability from their environment. Other than not accepting credit and debit cards as a payment method, how can merchants achieve this objective? The answer is simple – ELIMINATE ACCESS, TRANSMISSION, AND/OR STORAGE OF CARDHOLDER DATA. One of my Florida clients termed this appropriately as “Be PCI-Free”. The slogan fits and makes sense.
With the advent of hosted solutions (often referred to as “SaaS” or software as a service/solution) merchants can now achieve a Be PCI-Free objective while accepting credit and debit cards as payment. What makes several hosted solutions even better is the recent availability of tokenized data elements. Merchants that need certain payment transaction details to assist customers can still do so when they select a hosted solution that provides tokenized data. For example, merchants may need payment data to manage 1.) customer dispute resolution, 2.) recurring/subscription payments, and 3.) targeted marketing and analytics.
The first step with my merchant client projects is to begin by asking a few key questions. Then, use their responses to build a data inventory and to determine what data security strategy is best for their business model.
Data Types: What types of non-public data (bank account information, credit and/or debit card data, social security numbers, etc.) exist in the business environment?
Quantity: How much of this data exists?
Where: Where is this data?
Handling: How is this data handled (access, transmitted and/or stored)?
Why: Is this data necessary?
Whenever possible, dependent upon the above responses, I strongly advise my merchant clients to avoid handling any cardholder and/or other non-public data by using a hosted solution with tokenization. We then work collectively to evaluate the appropriate hosted solutions vendor that matches their business model and industry. The benefits to a merchant for using a hosted PCI compliance solution with tokenization are priceless.
- Significant reduction of data breach liability (shifted to the hosted provider) - $$$$
- Elimination of PCI managing costs (shifted to the hosted provider) - $$$
- Reduce internal data storage and managing resources (shifted to the hosted provider) - $$$
If a hosted solution and tokenization is not possible for their environment, then we begin evaluating the business environment with the PCI and other data security rules.Susan Kohl is CEO of ThoughtKey, a payment industry boutique consulting firm focused on PCI, regulatory compliance, risk management and expert testimony serving all parties of the payment industry value chain. You can reach Susan via email or phone (678)522-2466 or on Twitter @PCISK.