I always enjoy meeting with colleagues in the industry as I learn something every time. I’ve had a chat with a few of you out there and I’m trying to figure out why more companies continue to insource their payment processing and complain about PCI DSS and breaches as opposed to just outsourcing. Thinking back to some of the challenges in previous jobs, I may have helped answer it thanks to a conversation yesterday morning.
All providers of IT services want their customers to integrate their product or service into internal IT systems. It creates stickiness and makes it hard to change vendors. Tools like anti-virus, DLP, SIEM, and knowledge management platforms that achieve some level of integration rarely are swapped out. Something major has to happen to cause the swap to occur, simply due to the very high (and very real) switching costs. These seem to spiral out of control the deeper the service provider is integrated with the company.
I was chatting with a colleague yesterday and I posed this simple question: “Why are more companies not completely outsourcing their payments infrastructure to avoid dealing with PCI DSS and the breaches associated with payment card processing?” It’s a clear choice to me. The benefits of outsourcing far outweigh the benefits of insourcing—all the way down to the bottom line. So why are more companies not switching?
The light bulb went on when I was talking about a recent experience with a company and the fact that a switch in vendors constitutes a rip/replace action. It’s expensive, and frankly unnecessary as the system in question is not tied to the revenue side of the business. If the message is primarily carried by compliance managers to the IT folks, of course they don’t want to change. I can hear the conversation now… “We haven’t been breached yet, which means our security must be working. I don’t have the resources for a switch. Call me when it’s time for happy hour.”
I’m wondering if the conversation is happening at the wrong levels. For example, I can see a very clear business case from an overall payments perspective to outsource, including an instant amortization of costs associated with processing hardware. I believe that an outsourcing approach for most retailers (there are always exceptions) would yield a net-POSITIVE return on investment through lower fees all around. It may not be realized in year one, but it would definitely happen further down the line.
I’m convinced that this is the true path to payments nirvana for all sides of the payments equation: IT, security, compliance, finance, and the business. I’d love for folks to present arguments to the contrary below in the comments. Let’s have a discussion!
Possibly Related Posts:
- Let’s Encrypt for non-webservers
- Selective Domain Filtering with Postfix and a SPAM Filtering Service
- PCI DSS 4.0 Released plus BOOK DETAILS!
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug