Curated Content for the IT & Network Security Industry

channelbytes tech talks
Too Much to Lose: Why Your MSP Should be PCI Compliant

Written by Chris Lee

December 10, 2019

Too Much to Lose: Why Your MSP Should be PCI Compliant

When you put your trust into a Managed Service Provider, or MSP,  there is a lot on the line. Since MSPs generally serve a wide variety of companies across a number of industries, they are responsible for making sure your systems adhere to the laws and regulations of each of those industries. “The same regulations and rules that have companies scrambling for compliance solutions can be equally perplexing for MSPs,” according to Channel Futures. And while this type of compliance can be a “virtual goldmine for services providers,” it can mean keeping track of any number of convoluted legal components where security is concerned, particularly in the areas of e-commerce and healthcare. 

Risk Factors

Besides the legality of compliance, global cybercrime damages in the e-commerce space are predicted to hit $6 trillion annually by 2021. With over a billion non-cash transactions happening globally every day, it’s more important than ever to keep every single payment on the highest level of security. E-commerce sites are at a greater risk for cyber crimes because the transactions are card-not-present (CNP) payment channels. As a result, the payment functionality of e-commerce web and mobile apps often have vulnerabilities with pretty dire consequences.

Standards for Safety

This is where Payment Card Industry Data Security Standard (PCI DSS) compliance comes in. PCI compliance is a proprietary standard used by organizations that accept payment through credit cards and is now mandatory for every e-commerce merchant that accepts credit or debit card payments on their website. All information entered by customers is sensitive data, so it must be well-protected. As a result, PCI was created over a decade ago to provide greater controls around credit card data to reduce the incidents of fraud that quickly became so rampant throughout the industry.

It has now become vital that customers know your website is secure in order for them to feel confident enough to supply their financial information. Having the added safeguard of working with an MSP who is PCI compliant provides an extra layer of protection in a very convoluted legal, and security-fragile, morass.

With a PCI DSS certified MSP, you have another expert source in your arsenal who has undergone rigorous assessments and security validation as if they provided cardholder services themselves.

PCI Requirements for Increased Confidence

To achieve PCI requirements validation for Level 1 Service Provider attainment you must pass the following parameters:

  • Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
  • Quarterly network scans by an Approved Scanning Vendor (ASV)
  • Penetration testing
  • Internal and segmentation scans
  • Create and maintain secure networks
  • Protect cardholder data when in storage, and during transmission through public networks by using encryption methods
  • Have a vulnerability management program to protect software programs, systems and applications
  • Apply strong access control measures to prevent unauthorized employee access
  • Monitor secure networks to track access to cardholder data and regularly test security systems
  • Develop and maintain an information security policy for all your employees
  • Attestation of Compliance (AOC) declaration

These steps are required of all merchants who store, process, or transmit customer payment card data. PCI DSS also suggests how loss can be prevented, detected, and how to react if potential data breaches occur, providing protection for both merchants and cardholders.

Comply or Die

As we all know, malicious parties no longer need a high-level understanding of coding to hack into a system. All they need is a user’s password, and… disaster. So limiting access to cardholder data to only those parties and businesses that absolutely have to have it in order to fulfill their role is crucial, as well as a strict personnel policy surrounding information security.

Compliance isn’t a place to risk being lax. Every year, the Payment Card Industry Security Standards Council administers a check to ensure that companies are following the rules as instructed. Any MSP with customers in the retail industry is expected to keep those businesses in compliance and out of any potential legal risk.

in light of the inherent risks, picking partners that create an extra layer of protection for your customers, and, therefore, your business, is now a vital part of staying afloat in the world of e-commerce.


Stay up-to-date with IT vendor and partner promotions, tech updates, news and training opportunities

Post Categories

Stay in the Know on Changes in the Channel

Our once-monthly newsletter is curated for people working in the IT industry. Get your copy today.

Related Articles

Yes, Security is Still Important a Year into the Pandemic

Yes, Security is Still Important a Year into the Pandemic

As we mark the first anniversary of the COVID-19 pandemic, remote work and remote learning have both become the norm. Unfortunately, this shift to remote learning brings with it a myriad of cybersecurity concerns that need to be addressed in order to keep your...