How valuable is PCI compliance to your organization? Answering that question should be the first thing any organization does before they consider getting a PCI compliance certification. Whether you are a merchant or a service provider, the answer to that question provides context for the next steps.
For some companies, the answer may be obvious: “well, without being certified as PCI compliant, we really can’t do business because our customers buy our products using payment cards.” Fair enough. But for other companies, namely those in the B2B SaaS market, the impact of either not asking the question or incorrectly answering it can have a significant impact.
How do I assess the value of PCI compliance for my organization? The question does not assume that you are either thinking about becoming PCI compliant or does it rely on your organization already being PCI compliant. It’s applicable in both cases. At the end of the day, the things that likely matter to your organization are one or more of the following depending on your organization’s maturity:
- Increasing revenue
- Reducing or managing risk
- Decreasing costs
For this blog post, we will focus on “Increasing Revenue” and “Reducing or managing risk.” If you are in the high-growth technology industry, your focus is likely the first one and maybe the second one. If your organization is more consumer-focused or your market capitalization is more than $1 billion, you probably have risk management majorly on your radar as well. So how does PCI compliance relate to “increasing revenue?”
Firstly, PCI compliance certification may unlock new market opportunities for your organization. Consider the following scenario:
TeleCorp has been in business for around ten years, and they have a very robust outsourced contact center solution offering that sustains approximately $35M ARR from its existing contracts. TeleCorp has the capabilities to provide outsourced contact center services to anyone. Still, they have been prevented from marketing and selling services to some of their target accounts in the hospitality industry because those accounts require vendors who will touch payment card data to be certified as PCI DSS Level 1 compliant. TeleCorp has identified at least three accounts that would be highly probable to sign contracts for services within the next three months of TeleCorp becoming PCI compliant and another nine accounts TeleCorp believes it has a good shot to win over the next 12 months. With high confidence and likely account wins considered, TeleCorp stands to increase ARR by $3M over the next 12 months by becoming PCI DSS Level 1 compliant.
Like TeleCorp, many organizations must maintain their existing PCI compliance to retain existing contracts, and failing to maintain compliance on an annual basis would jeopardize future planned revenue.
If your organization is not yet PCI compliant but is considering it, assess if there are any target accounts, industries, or markets in which PCI compliance either gives your organization a competitive advantage or is the “price of admission.”
Secondly, as organizations IPO, receive later rounds of funding, or become an enterprise, risk management becomes a major topic of conversation in addition to top-line revenue growth. Consequently, we see organizations move up-market with their PCI assessments, expecting PCI compliance to drive payments related cyber risk management in addition to facilitating access to PCI compliance dependent markets and accounts.
The PCI DSS is one of the more prescriptive cybersecurity frameworks out there, with clearly defined testing procedures, guidance, and objectives in contrast to other security or reporting frameworks, which allow organizations much more flexibility. The PCI DSS also tends to be a very technical framework, with over 300 controls that take a fine-toothed cybersecurity comb to the in-scope environment. And while the DSS focuses on the confidentiality of card data, many of the processes and system components in-scope for PCI assessments are shared with the rest of the enterprise. For instance, an organization will typically have only one incident response process and one SIEM/SOC, not one for the PCI environment and one or more for the other parts of the organization’s environment. As such, PCI DSS assessments performed by capable QSAs can produce a strong security review of an organization’s security posture, making it a preferable option for the assessment of cybersecurity controls and operations.
The bottom line here is that certification for PCI DSS Level 1 compliance can be a strong revenue enabler and risk management mechanism. It’s a lever that organizations can pull. Still, like anything else, the organization needs to build a business case for the value unlocked or the potential risk mitigated before it endeavors down the path of PCI compliance.
Stay tuned for a subsequent blog post on how to think about the Capex and Opex associated with becoming and maintaining PCI compliance to help you complete your PCI compliance business case!