PCI Hard to Justify?

Posted on September 14, 2009 by Tom Mahoney

Over at Storefront Backtalk, Evan Schuman opined that PCI compliance is hard to justify. I have a great deal of respect for Evan. He’s a good writer and he knows his stuff. But on this one, I have to disagree. He might have a good point regarding the TJX and Heartland Payment Systems of the world, but not for the average small merchant.

It’s certainly true that there is no Return On Investment (ROI) for getting into compliance. For large merchants, it can be a very time consuming and expensive proposition and it doesn’t put a single dime into their receivables column. And I suppose that Evan is right in his thinking that $525,000 is nothing more than a nuisance payment for the $19 billion retail chain.

But for a huge number of small merchants, PCI compliance is fast and easy. Merchants that outsource their payment process in its entirety need only spend 20-30 minutes filling out the SAQ-A and they are good to go. To me, that’s a no-brainer.

Look at it this way. There is no ROI on car insurance or health insurance. You pay and pay and pay again. You sometimes wonder why you do it. Then one day you have an accident or you get sick and you begin to see the advantage. What could have cost you thousands, even tens of thousands, of dollars may only costs you a deductible. All of a sudden all those payments make perfect sense.

Think of PCI compliance as an insurance policy. You could go for 20 more years and never get victimized by a hacker, but don’t count on it. It could happen tomorrow. It WILL happen tomorrow to someone. When it does, your compliance might make the difference between business as usual and shutting your doors. Why would small merchants want to put themselves at risk of going out of business when a few minutes of their time could prevent it?

Remember that ALL merchants MUST be PCI compliant. If you do less than 20,000 V/MC e-commerce transactions annually and less than 1,000,000 transactions across channels AND you outsource your payment process, then compliance costs you nothing. Why would you not want to do it.

Of course, all this doesn’t even matter after October 2010. If you’re not compliant by then, you can expect that your acquirer will shut you down anyhow.

Wake up merchants. You need to be PCI compliant. It’s not an option.

Similar Posts:

About Tom Mahoney

Tom Mahoney is the Founder and Director of Merchant911, a site dedicated to helping e-commerce merchants.
This entry was posted in PCI Compliance, Security Standard and tagged , . Bookmark the permalink.
Post comment as
twitter logo facebook logo
Sort: Newest | Oldest
54f3.com

Tom, you are bang on here... for those that outsource that is.

For those that choose NOT to, please be aware of what you are getting into. you can see my blog entry on the conversation had during hostingcon2009 about this very topic, from the perspective of webhosters. SIGNNIFICANT work involved, and yeah, anyone who is in the billions of sales will not be concerned about the infrastructure requirements.

Perhaps a better use of this new 'educational bandwidth' we have with the looming compliance deadline - outsource, not to outsource. operate it yourself, hire trusted experts. There are many pros and cons, but at this point, with a stated only 3 shopping cart vendors pursuing their own PCI compliance certification, there will be many merchants left in the lurch.

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
Merchant911

Jason,

I'm not sure what (or if) you're disagreeing with any of my points. PCI is clearly a complex issue in many regards but doesn't the outsourcing merchant have a pretty easy go of it?

Did I miss something? It's certainly possible - I don't claim to be a security expert and I don't want to be passing bad information.

share
  • spam
  • offensive
  • disagree
  • off topic
 Like