And that requires them to take a long-range view.
When evaluating payment security options, retailers have to consider all the costs involved, from the capture and transmission of payment data to storage to back-office tasks such as manual review and chargeback management, according to a new report from electronic payment and risk management services provider CyberSource Corp.
The report, “A Manager’s Guide to Comparing the Cost of Payment Security Strategies,” is based on interviews with a half dozen retailers (only some of whom are CyberSource customers), and a half dozen consultants.
To effectively compare costs between an in-house system and a hosted offering, retailers should evaluate all the costs associated with securing data through the transaction lifecycle—including systems, staff and processes.
But, in doing so, retailers must keep in mind that costs associated with the implementation phase, which usually spans the first year of the technology lifecycle, often increase if a retailer is switching from an in-house to hosted approach.
That’s because during the system migration they often have to continue maintaining their program, while also paying for setup costs, says the report.
That’s why retailers need to look at the long-terms costs, says Lauren Wang, CyberSource group manager, solutions marketing. “In order to really understand the total costs of their payment security options, retailers have to take a look at a broader period of time,” she says.
For instance, when retailers with in-house systems experience growth, they need to add additional staff, hardware, software, encryption keys and other technology components. For those using an outside vendor, they still might incur costs associated with the growth but capacity and upgrade expenses are born, in part, by the vendor.
Whether a retailer chooses to go in-house or use a vendor, annual PCI certification costs, which include audits, assessments and quarterly security scans, represent an ongoing cost of business.
For retailers with in-house systems, the ongoing changes to PCI certification rules require constant training of staff on security policies, procedures and system changes. Even retailers that work with a vendor must consider regular training of their IT staff.
“Retailers have to look at PCI compliance as an ongoing cost since they need to be PCI compliant today and tomorrow,” says Wang. “There are the setup costs, but also the costs associated with making sure the system is working.”