Fintech Start-Up? A cost-effective approach to achieving PCI DSS

You’ve got a splendid idea for a fintech startup. You carry out feasibility studies and the results show that you could become a unicorn in less than 5 years. You get a great team of highly talented developers and they build the product to taste. You connect with merchants via API, test run the product and it works just fine. There’s excitement in the air as the launch date is near. Now you can move the product from the staging environment to the production environment since it’s time to launch.

This is where you hit a brick wall. Your security chief tells you the product needs to get PCI DSS compliant or face penalties that arise from non-compliance. You get a security firm to prepare you a quote for this assessment and they get back to you with a sum large enough to build another product from the ground up.

Hey, you don’t need to spend such a large amount trying to achieve compliance with regulatory standards especially PCI DSS. In this article, I’ll take you through a couple of steps to ensure you achieve the exact same standards without having to break the bank.

1. Outsource security operations to a Managed Security Service Provider: As the name implies, a Managed Security Service Provider (MSSP for short) usually takes over an organization’s security operations for a low cost, a subscription fee. Without an MSSP, you’d usually have to purchase the tools required to secure your environment e.g security incident and event management tool (SIEM), antivirus, endpoint detection and response tool (EDR), security orchestration, automation and response tool (SOAR), etc. These tools are normally very expensive to purchase and they come with other unseen costs such as cost of licensing yearly, cost of maintenance of the infrastructure hosting the tool, cost of training the analyst who will man the tool, and so on. MSSPs already have these tools in their “box”. You could simply subscribe to their service and pay a fraction of what you should have paid had you owned the infrastructure, converting capital expenditure to operating expenditure.

Here’s a tip: You could negotiate with an MSSP to cover only assets in the scope of PCI DSS, drastically taking down your subscription fees. Smart move isn’t it?

When you’re an MSSP’s client and you’re in the process of getting certified for PCI DSS, you normally have to reach out to them to supply a bulk of the evidence….which they always already have on standby, just waiting for you to ask. It’s possible to take down your costs by almost 70 percent or more when you use the service of an MSSP.

2. Use internal qualified personnel for gap assessment: If you’re looking to save a fortune so your startup doesn’t run out of cash quickly, you’ll need to use an internal, qualified resource person who’s experienced and familiar with the PCI DSS framework to perform PCI DSS gap assessments. You’ll save a whoooole lot of money here. You see, it’s not wrong to reach out to cybersecurity consulting companies for this service but in this case, you’re a fintech startup whose cash strapped and needs to ensure the minimum is spent to get the maximum.

Where you’ll need to spend more money is during the Qualified Security Assessor (QSA) Audit, where you’ll need a qualified, certified professional to carry out the last stage of the audit and certify your startup compliant with the PCI DSS framework.

If you don’t use a qualified internal resource, you’ll have to spend more hiring two separate companies. One to perform gap assessments and another to perform the QSA audit. Would you rather spend on a company to perform gap assessments or rely on an internal resource who’s already getting paid monthly?

3. This third one here is a no-brainer. Use the cloud: You see, cloud service providers like Amazon, Azure, and google usually have to achieve compliance with different frameworks. Just like MSSPs, cloud service providers can provide you with evidence on demand. With that, you save a lot of time and stress on your part. You also have access to tools you could have spent a fortune buying e.g firewall. The cloud platform is pretty easy to configure for compliance. Just a couple of clicks here and there and you’re all set.

Running a start-up isn’t easy. Securing one isn’t too. Reduce the burden on you by cutting costs prudently.

--

--

--

At 386Konsult, We provide world class technology services that help business achieve high level performance and accelerated growth.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What it takes to build a successful SME Tech startup

Inside the War Between Domain Flippers and Startup Founders

How to Start and Grow Your Own Boutique Strategy Consulting Firm

Stop Launching Startups

Five questions to ask yourself as a first-time founder raising funds

Mid-Semester Review: How is StEP doing?

Fundraising and Policing: How My Worlds as a Black Founder Collided

Navigating Disruption: Week 3

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
386Konsult Limited

386Konsult Limited

At 386Konsult, We provide world class technology services that help business achieve high level performance and accelerated growth.

More from Medium

Odysseas Sclavounis, a doctoral researcher at the University of Oxford, specializes in blockchain…

NUGENESIS SOLVES THE “RUGPULL PROBLEM”: GET IN EARLY AND CONTROL THE NEXT 100X MOONSHOT!

How AI and NPCs are solving the “Chicken and the Egg Problem” for social networks in 3D spaces.

Incorporating Blockchain Into Existing Business — RevInfotech Pvt Ltd