For small and medium businesses, there is tremendous upside to outsourcing as much of your security and PCI compliance as you can. With the increasing cyber threats to payments data, using third-party providers for security and PCI compliance (including the provision of Third-Party Proof) is a no-brainer because your resources and security investments are smaller than those of the largest enterprises.
Nearly half of cyberattacks worldwide in 2015 were against businesses with less than 250 workers, according to cybersecurity firm Symantec
While the term 'outsourcing' can have a negative connotation -- consequences like the loss of high-value jobs to offshore firms or corporate cost-cutting that can dilute the core competencies of a business may come to mind -- there is a positive side to outsourcing. The smartphone, for example, wouldn’t be around without its outsourced supply chain of designers, hardware manufacturers, chip-makers, telecommunication networks, software firms and marketing services. No company does it all on their own.
In security and compliance, there’s little downside and a big upside to PCI outsourcing
Security and compliance is a substantial endeavor to undertake -- one that can have dire consequences if handled incorrectly. Unless you’ve got resources similar to Home Depot, Target, Yahoo, or the US Office of Personnel Management -- and a greater commitment to security -- then you’re better off outsourcing 100% of your information security and PCI compliance. Unless it’s your primary business to keep up with the changing threat landscape emanating from hackers, criminals, and nation states, outsourcing is your best option. The vigilance to maintain, and invest in, the leading-edge of security technologies and world-class talent is the only way to pursue security and compliance. In an in-depth interview from the A16Z podcast, Marc Andreessen, American entrepreneur, investor, and software engineer, made a critical observation about security outsourcing. “From a technology standpoint, businesses either need to become first-class at security,…with first-class expertise and first-class funding, or they need to work with [cloud] vendors who are. … A lot of CIOs are becoming increasingly aware, especially at companies that haven’t mounted a first-class effort at talent and funding for security, that it is highly likely their cloud vendor is more secure than they are. And it’s highly likely that it has been that case for many years.” Interestingly, though most folks think of physical supply chains or job-displacement when they think of the term 'outsourcing', the largest areas of outsourcing today are cloud-based services and “on-demand” businesses like those for provisioning tech talent -- such as Upwork or Toptal. Hosting, firewalls, scanning, penetration testing, education, certification, screening, payment systems, online shopping carts and more services are all available for maintaining a comprehensive security and compliance capability -- no matter the size, location, or type of your payment-dependent, information business. It’s almost always the case that, with a proper outsourcing approach, dedicated security and PCI providers can minimize your risks while simultaneously reducing your costs.
The primary benefits of PCI outsourcing for security and compliance
1. Leveraging the latest technology - security technologies to reduce risk and secure your data at various levels: network, data, application and physical security
2. Resource/transactional based billing - paying only for the resources and services you utilize is a more strategic allocation of your IT budget - saving more resources for the core activities of your business
3. IT spend efficiency - lower costs of using providers and reduced time to provision security services and talent
4. Higher levels of resiliency and availability - from providers that deliver higher-level service level agreements (SLAs) - ensure increased uptime and resiliency with the latest architectures, DevOps, and infrastructure. You cannot outsource your responsibility for being PCI compliant, but you can put world-class providers and talent in charge of your security and PCI compliance controls - regardless of your business size, location, or IT budget.