The Impact of PCI Compliance: Effective Tools to Protect Against Costly Threats

Part 2 of a 2 Part PCI Compliance-based Blog
By Mark Winter, Vice President of Sales, RapidFire Tools
.
PCI data breaches are costing payment card-accepting companies more than ever before, which translates to opportunity for MSPs who leverage PCI compliance tools. Such breaches can result in crippling financial and reputational blows to organizations large and small. This is especially true for the nearly 22 million companies around the world – about half of them in the United States – which maintain merchant accounts and accept credit card transactions.

Major breaches affecting the payment card industry (PCI) and associated sectors have included high-profile, costly hacks going back as far as 2007 and as immediately as this September, involving TJ Maxx, Target, Home Depot, and recently both Equifax and Deloitte. Such breaches take even industry-leading merchants by surprise, turning 2017 into what’s CNN recently labeled “a banner year for cyber attacks.” The above events compromised the personal and financial data of hundreds of millions of consumers, and have so far cost the companies in question hundreds of millions of dollars in penalties and settlement fees.

The most current IBM Cost of Data Breach Study conducted by the Ponemon Institute puts the average cost to US companies in 2017 at $225 per record for a single lost or stolen record, and breaches can involve hundreds or thousands of such records. That cost has increased from $221 as per past reports. The IBM-funded study also found that security breaches are increasing in frequency and size, which would theoretically inflate the latest figures.

In addition to fines of up to $100,000 per month alone for not maintaining PCI DSS compliance, non-compliant companies that that compromise customer data can be fined more heavily in civil courts actions brought by their customers. TJ Maxx and Marshalls eventually paid-out approximately $256 million in fines and damages associated with 2007 data breaches involving some 45 million customers. The Equifax breach, which may have exposed the personal and payment card data of nearly 145 million U.S. consumers, could cost the company far more.

With the price of such breaches at record levels and rising, MSPs serving PCI customers have a tremendous opportunity, or even an obligation, to implement PCI compliance solutions like RapidFire Tools’ Network Detective assessment modules for their client base.

PCI compliance services are easy to sell, install, and manage across SMB and midmarket customers, especially for MSPs who are just entering this highly-regulated marketplace—as long as the MSP is able to leverage the proficient tools for the job.

Toronto-based MSP Roxville Technology, for instance, had a client whose cyber security insurance required they become PCI compliant, and they turned to Roxville to accomplish that. The MSP added the Network Detective PCI Compliance module to deliver on this request, and to deter the client from going elsewhere for this service.

“PCI compliance requirements can be extremely technical and complex,” explained Drew Simons, president at Roxville Technology. “It involves a comprehensive list of standards that need to be met. Network Detective gathers a broad range of information to satisfy those requirements, producing a selection of documents and policy recommendations that would be prohibitively time-consuming to produce otherwise.”

MSPs find that PCI compliance tools like Network Detective often generate revenue once the MSP is asked to address the issues revealed by network assessment scans.

“When we implemented the PCI Compliance module, it immediately identified some internal vulnerabilities that we were able to address,” Simons confirmed. “Using Network Detective has generated thousands of dollars in additional remediation work associated with this client. We’re now in the process of rolling-out PCI assessments for other clientele, initially as a value-add, but with the knowledge that it leads to mediation projects that can be lucrative. In the future, we’ll move on to providing it as a paid service.