Fintech Start-Up? A cost-effective approach to achieving PCI DSS

You’ve got a splendid idea for a fintech startup. You carry out feasibility studies and the results show that you could become a unicorn in less than 5 years. You get a great team of highly talented developers and they build the product to taste. You connect with merchants via API, test run the product and it works just fine. There’s excitement in the air as the launch date is near. Now you can move the product from the staging environment to the production environment since it’s time to launch.

This is where you hit a brick wall. Your security chief tells you the product needs to get PCI DSS compliant or face penalties that arise from non-compliance. You get a security firm to prepare you a quote for this assessment and they get back to you with a sum large enough to build another product from the ground up.

Hey, you don’t need to spend such a large amount trying to achieve compliance with regulatory standards especially PCI DSS. In this article, I’ll take you through a couple of steps to ensure you achieve the exact same standards without having to break the bank.

1. Outsource security operations to a Managed Security Service Provider: As the name implies, a Managed Security Service Provider (MSSP for short) usually takes over an organization’s security operations for a low cost, a subscription fee. Without an MSSP, you’d usually have to purchase the tools required to secure your environment e.g security incident and event management tool (SIEM), antivirus, endpoint detection and response tool (EDR), security orchestration, automation and response tool (SOAR), etc. These tools are normally very expensive to purchase and they come with other unseen costs such as cost of licensing yearly, cost of maintenance of the infrastructure hosting the tool, cost of training the analyst who will man the tool, and so on. MSSPs already have these tools in their “box”. You could simply subscribe to their service and pay a fraction of what you should have paid had you owned the infrastructure, converting capital expenditure to operating expenditure.

Here’s a tip: You could negotiate with an MSSP to cover only assets in the scope of PCI DSS, drastically taking down your subscription fees. Smart move isn’t it?

When you’re an MSSP’s client and you’re in the process of getting certified for PCI DSS, you normally have to reach out to them to supply a bulk of the evidence….which they always already have on standby, just waiting for you to ask. It’s possible to take down your costs by almost 70 percent or more when you use the service of an MSSP.

2. Use internal qualified personnel for gap assessment: If you’re looking to save a fortune so your startup doesn’t run out of cash quickly, you’ll need to use an internal, qualified resource person who’s experienced and familiar with the PCI DSS framework to perform PCI DSS gap assessments. You’ll save a whoooole lot of money here. You see, it’s not wrong to reach out to cybersecurity consulting companies for this service but in this case, you’re a fintech startup whose cash strapped and needs to ensure the minimum is spent to get the maximum.

Where you’ll need to spend more money is during the Qualified Security Assessor (QSA) Audit, where you’ll need a qualified, certified professional to carry out the last stage of the audit and certify your startup compliant with the PCI DSS framework.

If you don’t use a qualified internal resource, you’ll have to spend more hiring two separate companies. One to perform gap assessments and another to perform the QSA audit. Would you rather spend on a company to perform gap assessments or rely on an internal resource who’s already getting paid monthly?

3. This third one here is a no-brainer. Use the cloud: You see, cloud service providers like Amazon, Azure, and google usually have to achieve compliance with different frameworks. Just like MSSPs, cloud service providers can provide you with evidence on demand. With that, you save a lot of time and stress on your part. You also have access to tools you could have spent a fortune buying e.g firewall. The cloud platform is pretty easy to configure for compliance. Just a couple of clicks here and there and you’re all set.

Running a start-up isn’t easy. Securing one isn’t too. Reduce the burden on you by cutting costs prudently.