Small business owners have to save money wherever they can. But when it comes to cybersecurity, cheaping out on your PCI compliance software can actually end up costing you more.
Small business owners have to save money wherever they can. But when it comes to cybersecurity, cheaping out on your PCI compliance software can actually end up costing you more.
This happens because DIY approaches to PCI often create security gaps that (spoiler alert) mean you’re not PCI compliant and also not protecting your business from malicious threat actors.
David Salazar, Director of SMB at SecurityMetrics, says small business owners are usually suspicious of PCI. They often worry that PCI is a “money grab from the acquirers... just another fee they’re trying to tack on to my monthly statement.”
Every business, including merchants and small business owners, must be PCI compliant if they take credit card payments. PCI is a compliance standard that comes from the major payment card brands (think VISA, MasterCard, etc.)
Another myth that SMBs encounter is that they don’t need any compliance software at all; they only need to download the Self-Assessment Questionnaire (SAQ) and fill it out. In fact, trying to accomplish PCI all on your own often means you might just not do it all.
So, how do you know which PCI compliance software will work for your SAQ type and your small business needs? The biggest piece of advice Salazar has for small business owners is to first get rid of any “check the box” mentality they may have, and instead, look at PCI compliance as a way to actually secure their business.
SecurityMetrics experts are routinely trusted to scope merchants, as customers rely on us to help them identify the correct SAQ and what software they need. Remember, attempting to choose the right SAQ and meet its standards without expert guidance can leave you exposed.
Pro Tip: Understand that SAQs A, B, C, or D require proof. For example, if you check "Yes" to "We perform employee security training," you must have documentation. If you check "Yes" to "We perform quarterly network scans," you need reports from an Approved Scanning Vendor (ASV).
One of the risks you take when choosing the cheapest solutions or a DIY, mismatched approach is that they often provide an incomplete or non-certified service, forcing you to either purchase costly add-ons or not pass your SAQ.
In fact, I’ve often found that small business owners are unaware of the following hidden risks:
PCI Fines: PCI fines for non-compliance, levied by banks and card brands, can range from $5,000 to $100,000 per month until compliance is achieved.
Missing Certification: Some low-cost providers may offer network scans, but the bank requires documentation from an Approved Scanning Vendor (ASV) or a Qualified Security Assessor (QSA) (like SecurityMetrics). Don’t forget: relying on an uncertified scan means the time and money you spent were wasted because you won’t actually be PCI compliant.
Liability in the Fine Print: As a business owner, it’s important to be aware of who carries the risk of compliance. When you use built-in compliance from a partner (like a payment processor or ecommerce platform), the liability is often subtly shifted back to you.
David Salazar explains this phenomenon as “‘legalese wording’ in terms of service that states that you are responsible for your business environment, pivoting away the liability from the payment processor or platform. This is especially confusing for SMB owners who believe that because their business partner’s software is compliant, they must be as well, but it’s actually still the SMB owner’s responsibility.”
The single largest, non-financial cost of a cheap or DIY compliance approach is the drain on employee time and payroll. You save money on the compliance fee, but hemorrhage it in non-revenue-generating labor.
This is especially true for two key requirements that small businesses often try to manage internally: employee training and internal scanning/data discovery.
David Salazar has seen firsthand the consequences of trying to DIY training, recalling a past retail experience where “employees had to come in on a Sunday when the store was closed. They were obviously not generating revenue to come take a test or a quiz, and both the employees felt their time was wasted, and the SMB saw this as a waste of payroll hours.”
To combat this, Salazar suggests a dedicated, asynchronous training program that allows employees to complete required security awareness training during downtime, eliminating the massive, high-cost investment of gathering your entire team (and management) off-hours just to check a box.
Research shows that the Return on Investment (ROI) of security awareness training is high, with smaller companies saving an average of $149 annually per employee by investing in formal training programs.
Pro Tip: Did you know that SecurityMetrics’ PCI Compliance for SMBs includes employee training? Check it out here.
Requirements like removing credit card information from your computer (PAN/PII scanning) are often attempted internally. In reality, a specialized, inexpensive tool like PANScan is a fraction of the cost of going DIY. If you don’t know what you’re doing and are worried about using a tool, you can always outsource your IT team and pay by the hour for more assistance, so you get it right the first time.
To achieve the lowest Total Cost of Ownership, you must prioritize simplicity, scope reduction, and bundled expertise.
If you want to save money, choosing a PCI compliance software is more than just the initial price you pay when purchasing. Here are two things you can do to save money:
When it comes to the best cost-saving strategy, David Salazar’s top piece of advice is to “simplify your environment.”
A reputable provider doesn't charge just to "check the box." They bundle all the services you need: certified ASV scans, employee training seats, policies, and the SAQ tool itself. When it comes to bundling your PCI needs, Salazar strongly recommends working with an expert who can go through what your SAQ type is, what you need to get PCI compliant, and can create a customized plan for you. This approach can “ensure you’re starting off on the right foot by getting everything you need for filling out your SAQ.”
A dedicated, streamlined compliance package is an investment that buys you time and peace of mind. Remember, if you take the time to get the right software the first time, next year's validation/SAQ process will be much simpler, saving you time and money and letting you focus on running your business.
.svg)
.jpg)
