HSM as a Service – meeting PCI data security standards

Looking at the cost of PCI-DSS compliance and how HSM as a Service can help FinTech companies really save on those compliance costs while still making use of the best-in-class security mechanisms.

The Payment Card Industry’s Data Security Standards (PCI DSS) mandate that all entities transmitting, storing or processing cardholder data must meet certain security criteria to ensure compliance. Noncompliance with these standards can lead to a fine or even a termination of service for the offending organization. These is plenty of information in the public domain on how to ensure compliance. However, for many FinTech start-ups, the real challenge is to ensure compliance while minimizing the cost of compliance.

The cost of compliance

In the banking industry, multi-billion dollar fines are not unheard of anymore. We live in a decade where large banks actually earmark several billion dollars towards both pre-emptive and reactive regulatory compliance and its associated costs (like fines and litigation for example). In fact, the entire RegTech industry exists in order to help companies optimize their regulatory compliance.

When it comes to the payment services industry though, PCI DSS compliance is probably one of the more important, and costly, variables in the regulatory cost equation. The cost of PCI DSS compliance can range from a few thousand dollars a year to several million depending on the size and nature of the business. This cost, like all other business costs, presents a significant barrier that new FinTech start-ups have to contend with if they are to compete toe-to-toe with the established financial service behemoths.

One way they are levelling the playing field is by optimizing their compliance costs.

HSM as a Service

Cloud services have been a godsend for small start-ups and even medium sized businesses. Rather than investing scarce resources on significant upfront capex outlays, start-ups can instead tap into cloud services and pay for what they use. Let’s take a brief look at the benefits of using HSM as a Service for PCI compliance:

• Scalability – This is one of the main reasons why fast-growing businesses opt for cloud solutions in the first place. Rather than continuously expanding your systems every few months, you can use a scalable cloud service provider and scale near-instantly based on your current volumes. This is especially true for things like Hardware Security Modules where you cannot afford to compromise on security or speed as they are part of the core service experience for your customers.
• Ease of Use – FinTech start-ups don’t have access to the massive resources of large established players. They cannot have a dedicated compliance or IT security department or at least not one big enough to cover every aspect of security or compliance. Using a cloud service allows them to focus on their core competencies and leave the details to the dedicated service providers. The fact is, even if these companies did hire in-house staff for many of these functions, a dedicated service provider will almost always have a cost and experience advantage.

We continue with the benefits of HSM as Service for PCI DSS compliance in part 2 of our series. In part 2, we also look at what factors must be taken into consideration when making a choice about opting for HSM as a Service for your PCI DSS compliance.

Blog post by Paul Abraham