It sounds like a simple question, doesn’t it? Is it worth it to your organization to take credit cards online, do the rewards outweigh the risks? If you’re a major retailer or service provider or even a minor player in the game, the answer’s probably a no brainer, you have to take credit cards online if you want to stay in business. But what if you’re a small business that hasn’t been taking credit cards, a boutique service provider or a one or two person business? Then things start getting more complex and the risk vs. reward equation becomes a lot more questionable.
Late last week a question came up on one of the many mailing lists I subscribe to, a sys admin at a small service provider was asking a scoping question about PCI. His employer hadn’t been taking credit cards before but wanted to start doing some pass through authentication and offering to collect cardholder information for small merchants who’d download the information later. Sounds simple and easy enough to do. At least until you start looking at all the controls that have to be put in place to meet with PCI compliance, now that the service provider is taking credit cards.
One option the service provider has, and the one I think many small merchants and service providers are taking, is to ignore or pay lip service to PCI. I don’t have quantitative analysis to back that opinion up, but given the reactions of some larger companies to PCI, I can only assume that smaller merchants are displaying the same attitudes. After all, it’s only a small number of credit cards, hackers will never attack a small company and the credit card companies don’t have the time to deal with the multitude of small merchants and service providers, do they? If only that was true, a large number of the breaches that don’t make the news would never happen and forensics investigators would suddenly have a lot more time at home. The problem with this idea is that it’s all or nothing crapshoot; either you’ll never get hit by a hacker or one day you’ll get a call from the Visa fraud department asking about the large number of bad transactions that point back to you. Which is the point where many small businesses have to close shop and call it a day due to the costs of an investigation.
The other option is to attempt to become PCI compliant in a meaningful way. Installing an Intrusion Detection System & File Integrity Monitoring solution, rewriting corporate policy, reviewing firewall rulesets on a regular basis and all the other task related to becoming PCI compliance. If you’re a small service provider or merchant, this may mean hiring additional people or finding a third party managed service provider to take care of these services for you. Even if you’re doing it yourself using free/open source software, just the cost of the additional manpower needed might be enough to take you over that tenuous line from profitable to unprofitable. And in the current economy, that’s a line no one wants to even flirt with.
I’ve dealt with a few service providers recently that have done the math and decided it’s not worth it for them to offer ‘PCI Compliant’ services. The overhead costs and risks involved just weren’t worth the few dollars they’d make on each client. If you’re a big service provider, the cost of many of the PCI-related safeguards scale well and don’t require a significant increase in costs. But for a small service provider, creating a number of the safeguards and controls needed can easily outweigh the potential profit. Much the same can be said of merchants, however it’s much easier for a merchant to outsource card processing and storage.
If you’re boss is asking you to evaluate taking credit cards, sit down and do the math. Realistically, the option of ignoring PCI is there, but it’s something that is almost guaranteed to bite you eventually, not to mention the ethics and morality of a security professional ignoring security compliance. For most smaller service providers I suspect the cost of implementing PCI controls will far outweigh the potential profit of taking credit card numbers and storing them, even if you already have many of the safeguards in place. Don’t talk to the marketing guys about the technologies that have to be in place, but instead explain the costs involved and the risks that the company will incur by taking credit card numbers. If your business decides that the risk is worth the potential profit, than do the best job you can to secure the cardholder environment. After all, that’s what security professionals are really here to do; evaluate the business risk then do what they can to minimize that risk.