Compliance is more than following certain rules or avoiding fines. A non-compliant business risks, among other things:
- Data loss
- Customer attrition
- Erosion of customer trust
- Brand degradation
In other words, they risk debilitating their business, if not destroying it.
Online retailers are especially vulnerable to this possibility. Every week you hear stories of customer data being hacked and credit card numbers being stolen. In 2006 five of the top credit card brands—American Express, Discover, JCB International, MasterCard, and Visa established the PCI Security Council to develop and put forth security standards and best practices at POS (Point of Sale) for retailers to follow. The current PCI DSS (short for “Payment Card Industry Data Security Standard”), now at Version 3.0, is viewed as an ongoing process focusing on three steps:
- Assess — identify cardholder data, take an inventory of IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data.
- Remediate — fix vulnerabilities, and do not store cardholder data unless you need it.
- Report — compile and submit required remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands you do business with.
These standards are common-sense guidelines; however, too many retailers lack either the knowledge about these practices or lack the resources to keep abreast of them. As an MSP, you should bridge this gap for your clients. In doing so, you provide them an obviously valuable service while protecting your business’s own well-being, if only because you yourself are using a payment system of some type.
Here are three quick tips to help make your customers PCI DSS compliant:
Make sure you offer tools and processes to bring your clients to PCI DSS standards
Although you already have tools and processes to manage compliance for the business end of your MSP business, your clients may require different solutions to maintain compliance—and you need them to be available for them to use. MSP marketing consultant Ulistic writes in an undated blog post that no matter how great your team is at providing services like BDR (Backup & Disaster Recovery) and general security, your business could come “to a screeching halt,” if you don’t offer PCI DSS compliance services:
For the protection of their customers, MSPs must first and foremost store all customer data on a secure network. And those security systems must be tested regularly to ensure that people’s personal information remains secure… Maintaining a network that protects customer information protects employees’ information, too. It’s a win-win situation. Many of our clients need help with PCI—are you helping your clients with PCI?
Be an active—and proactive—partner with your retail clients
Because many of your clients do not know how to put these standards into practice, anticipate their needs and provide pathways toward PCI DSS compliance. An IT professional from your staff should be assigned to your retail clients so that he or she can walk them through the steps needed to become compliant and then supply continuous ongoing support.
Citing a 2011 Verizon report, MSPMentor contributing blogger John Moore says the report:
…offers a reminder that security — PCI or otherwise — shouldn’t be episodic. The job calls for a continuous cycle of vulnerability assessment, remediation, and re-checking. Within that regimen, MSPs may well find opportunities to expand their current role with customers [emphasis mine].
In other words, this extra effort may translate into more business for your MSP, as more of these tasks are outsourced to your trusted hands.
Think of PCI DSS compliance as a baseline, rather than a ‘catchall solution’
While PCI DSS compliance is important for the reasons we’ve discussed, don’t solely rely on it to protect customer information for your clients. In a September 2014 post for the Kaseya Blog, Harrison Depner writes:
Regulations are not, and have never been a catchall solution. A chef doesn’t make good food because their restaurant passed a health inspection…If you work in retail IT, then PCI compliance [is] more like an acknowledgement that you’re not incompetent…Compliance is a minimal requirement and, like most minimum requirements, it logically follows that anything greater than it is better.
PCI DSS compliance is only one component to a comprehensive security strategy that you want to offer your retail clients.
MSPs, do you have other relevant suggestions or tips about maintaining PCI compliance? Let us know in the comments or on Twitter!
Photo credit: Kayan via Flickr