PCI for the Mid-Market: Watch Out, You Just Entered the PCI Twilight Zone
As part of my duties with The CISO Group I recently spoke to the owner of a business who as a result of their success and growth crossed the boundary from the classic SMB into the mid-market. For this business owner it meant that he had to now put on his big boy pants because he was in the PCI Twilight Zone.
From the outset let me say that this business owner who makes custom products is exactly the kind of job creator that all of the politicians talk about as being the backbone of our economy. His little business had grown up to employ a few hundred people and generate quite a bit of business for the small town he is based in. Seeing him having to deal with PCI regulations and what it cost him made me wince and appreciate his pain. But at the end of the day, it wasn’t just PCI that was driving these changes, it really was about the risk to his business of a breach.
It seems this business takes credit card orders for their custom jobs. Their custom jobs can be from Five Thousand to Twenty Thousand or more dollars per order and he gets 5 to 20 such orders a day. So while the number of transactions was not high, the dollar figure of them are.
Up until about a year ago this merchant used a plain old terminal attached to a POTS line for his transactions. Then he decided that using payment applications on some of his workstations would allow him to capture data that would give him a better interchange rate and so pay less in transaction fees. Smart move by him. Unfortunately though it now meant that he was connected for transactions over the internet and that moved him into an entirely different class of merchant as far as PCI is concerned.
It meant under the latest regulations that in addition to an external scan by an ASV, he also had to do quarterly internal scans. He also had to prioritize his vulnerabilities. In essence he had to have a vulnerability management system in place. Of course it also meant that in addition to one firewall at the perimeter, he had to have zones and isolated networks for those machines that were handling transactions and data. He had to have IDS, log management, access control and no pun intended a host of other IT security related technologies, processes and policies in place in order to be compliant with the PCI DSS.
All of the above translates not only into some significant dollars in initial cost, but a real change ongoing in how his network and computers are managed. In fact when all is said and done, this is a change that will be measure in the tens if not hundreds of thousands of dollars.
Of course, one could say this is an awful lot to do for just PCI. Perhaps this business is just better off going back to a simple phone connected terminal. I understand that and part of me doesn’t disagree. But isn’t the real story here that it is more than just PCI we are talking about. PCI requires these merchants to do these things because they are based on best practices and sound risk management.
This merchant is now handling millions and tens of millions of dollars in transactions. He has lots of data and IP. He has real risk to worry about. It is easy when you don’t have much to not worry about not losing much. But when you have something to lose, you want to make sure you manage that risk.Thank goodness his business has grown the way it has and it is only natural that his IT needs and requirements should grow along with it. Prudent business practice and planning dictates that he makes these changes, not just PCI dictating it.
For this business owner though, PCI regulations are making him do this. He will tell you and all who listen that these darn regulations are a tax on his business. Never mind that PCI has nothing to do with the government and is a private regulation. It is a trigger for some major change in this case. This businessman who has successfully grown his business into a mid-size company has just entered the PCI Twilight Zone.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.