Descoping: An Investment Providing Savings & Returns
Descoping your environment from the requirements of PCI DSS is a no-brainer! Keeping customers’ card data out of company systems and minimizing contact areas where data is processed or stored can only be a good thing. The simplest way to do this is by outsourcing payment processes to a compliant third party.
There are many benefits of descoping. While the most obvious benefit is the achievement, and maintenance, of PCI DSS compliance (plus, industry leaders and the PCI Security Standards Council recommend this approach), another great benefit is the cost savings your organization could realize.
From decreasing necessary infrastructure updates and eliminating the cost of penetration testing and vulnerability scanning, to minimizing additional employee training and reducing the chance of a costly data breach, descoping as a means of achieving compliance can be an investment with a worthwhile return.
Here are three areas where your organization can save money by descoping:
1. Technology and Network Segmentation
When you descope, your organization’s technology (such as desktops, WIFI and malware software) is no longer under the strict PCI requirement to patch and update frequently and constantly.
You also save money by no longer having to deal with network segmentation. This is typically the biggest ‘technical’ cost by far. Organizations that don’t descope must perform network segmentation to keep card payment data separated from business systems. Not only is this expensive, but it can also be onerous.
Businesses have spent years integrating all their systems together, only to now be told they need to separate their networks out again to stop back-office staff from having access to any system that might have card data flowing over it. Instead of completing a counter-intuitive process, descoping allows technology to work as it was originally designed.
Further, most companies traditionally have one big ‘flat’ local area network (LAN) where employees can connect their computers anywhere and reach everywhere. To segment the LAN into secure sections costs lots of money and time, potentially causing disruption. However, it must be done to stop a would-be hacker from attaching to the network (by Wi-Fi or cable) and gaining access to card data flowing over the network.
With descoping, these otherwise necessary actions disappear from the to-do list.
Cost savings surrounding employees are dynamic when descoping happens. For one thing, specialized billing departments are no longer required, as any agent is now able to take payments securely.
In addition, employee onboarding costs are reduced. Training becomes less complicated, with the focus being on the personal interaction instead of multiple processes and transfers. This saves time and reduces the potential for employees to miss important information on data security, since they no longer need to learn it.
Employee background checks become less necessary, as descoping means employees are no longer able to steal personal payment card data – and your organization is no longer liable.
The Payment Card Industry Data Security Standard assumes that all contact centre agents are malicious insiders. For this reason, it instructs organizations that have not descoped to treat them as internal threats. This means:
- Completing background checks
- Having CCTV in place
- Stopping them from accessing, or restricting access the Internet and their personal email while at work
- Turning the contact centre into a ‘securely monitored environment’
- Forbidding phones and bags from entering the contact centre environment
It’s no surprise that contact centre agents also tend to be happier when their organization has descoped, with the above bulleted actions no longer taking place. Their jobs are simplified, and they have a more relaxed work environment. Burnout doesn’t happen as quickly, either.
Assuming happier agents are less likely to leave a company, the cost of recruiting and onboarding new talent decreases.
Happier agents are also more likely to have better interactions with customers, resulting in better service (and maybe even more sales). After all, a positive customer representative provides a more positive customer experience.
3. Data Breaches
When an organization descopes its environment from the requirements of PCI DSS, the chances of a data breach decrease dramatically. After all, a bad actor can’t steal personal data that isn’t there.
While this cost savings area might seem obvious, it is worth emphasizing.
According to IBM’s Cost of a Data Breach Report 2020, the average total cost of a data breach is $3.86 million. This total is comprised of costs across four different categories:
- Activities that enable a company to reasonably detect the breach.
- Activities that attempt to minimize the loss of customers, business disruption and revenue losses.
- Activities that enable the company to notify data subjects, data protection regulators and other third parties.
- Activities that help victims of a breach communicate with the company and redress activities to victims and regulators.
Essentially, it’s expensive to have your data breached, identify it, and ensure minimum reputational damage. Speaking of reputational damage, 64% of consumers in UK and US will avoid a company after a data breach. 30% and 17% respectively say they will never return.
Descoping is a great move for any organization taking payments. Not only does it mean removing work from the organizational to-do list, it can also provide a true wealth of savings both financial and otherwise.
If you’re still not convinced descoping is the right move, you may want to become familiar with the 19 tasks every organization needs to complete when descoping isn’t a part of its strategy.
We’ve compiled these tasks into a checklist for you, but ultimately, our advice is to be more like Dom! 😉