Why fintech companies of any size should outsource PCI
“All that time it would take to build the infrastructure and go through the PCI DSS audit on our own we could be spending on building a better product or launching into new markets.”
– Oleg Murasko, VP of Engineering, TransferGo
With a global boom in fintech company growth and a rise of companies integrating financial services into their businesses, more and more sensitive information, like cardholder info, is flowing through a plethora of systems and third-party applications.
From fintech start-ups to more established companies, organisations are working through this wildly complex ecosystem to understand where a company’s sensitive data goes and how to protect it while complying with regulations.
In particular, companies are struggling to achieve and maintain the Payment Card Industry Data Security Standard (PCI DSS, or PCI), which is required when interacting with cardholder data. But, PCI compliance is cumbersome and daunting – it takes an intense amount of time, labour, and capital.
What if PCI compliance didn’t have to be a burden? This is where outsourcing PCI compliance comes into play.
Fintech start-up perspective
Many fintech start-ups rely on their payment service provider (PSP) for PCI compliance, but this creates a few challenges. Ultimately, the start-up is still on the hook to maintain compliance – it may not be fully de-scoped. Depending on their PSP in this way can also limit fintechs from finding another PSP that might offer higher availability and lower fees.
Additionally, a start-up will not own its data, which limits its ability to extract the data’s full value. Meaning, it will be more difficult to understand what customers need and therefore difficult to create and promote new products and services. Outsourcing PCI compliance can help circumvent these challenges.
Take the fintech start-up Stilt. Founded five years ago and a Y Combinator-alum, Stilt’s lending platform provides vital financial services for immigrants in the US. As the company grew, so did customer demands for more banking services, namely access to a bank and debit or credit card. So, Stilt set out to launch a new debit card that would allow users to see their debit card numbers in Stilt’s application. To launch this, Stilt needed – you guessed it – PCI Level 2 compliance. This is something the Stilt team knew would be a two to three month process, and a heavy lift.
“Our infrastructure was ready to get PCI, but the process of hiring a third party, getting auditing done, and going through that painful and time-consuming process remained. Not to mention the time engineering associates would be pulled away from their core work,” said Priyank Singh, Stilt’s founder.
Stilt ultimately decided to outsource PCI compliance. The company turned to Very Good Security (VGS), secured PCI Level 2 compliance, and went live in just one week without the pain or diverted resources.
Also, VGS had the JavaScript Stilt needed to transform the aliased data and show the debit card numbers to their customers for verification.
Stilt launched its new product 80% quicker than they could have without VGS. Ultimately, outsourcing compliance let Stilt focus on its core business and help those who needed it most – immigrants navigating a complex US financial landscape.
Established fintech company perspective
Like start-ups, established fintech organisations also need the freedom to focus on their core business instead of compliance. Too often, these organisations opt for a do-it-yourself (DIY) approach to PCI compliance – but this can significantly hinder growth.
This is because the DIY route involves significant upfront and ongoing costs to build their own PCI compliant data security infrastructure, which likely requires hiring multiple new team members to shoulder the workload. If new hires aren’t brought in, then their current team will have to handle everything that’s needed to meet every single complex PCI requirement – distracting them from working on the products that are core to their business. Apart from slowing time to market when it comes to their bread-and-butter products, this can also hamper potential expansion into new markets.
That’s why outsourcing to a PCI vendor, who will be able to handle much of this burden on their behalf, can be a big value-add for larger fintechs. Some PCI compliance vendors offer payment optimisation and orchestration, enabling companies to expand their business while achieving PCI. As an example, fintechs can gain the flexibility to work with PSPs that serve customers in different countries as well as ones that offer lower fees or higher availability, thereby improving the customer experience.
Global fintech TransferGo saw immense growth when it outsourced PCI. Over 2.5 million customers trust TransferGo to send money to over 160 countries worldwide. TransferGo recently launched a new enterprise API-based product for organisations to make mass payments to customers, suppliers, and employees.
When developing the product, TransferGo ran into a serious constraint with its existing PSP – it would have to work the way that one PSP worked and couldn’t easily use other PSPs. TransferGo had no bargaining power, no-fail-over, and no way to balance transaction volume between partners.
The company needed a way to work with raw card data, without risk. The team decided not to build out PCI infrastructure in-house and searched for a solution that would allow them to process payment data securely, without giving up control of the company’s data.
After evaluating vendors, TransferGo selected VGS to accelerate its PCI Level 1 compliance certification and remove its data security burden.
Using VGS allowed TransferGo’s API to work with full card details while insulating enterprise customers – and TransferGo – from seeing or touching that data. With VGS, TransferGo secured PCI DSS Level 1 compliance with 10x less labour (just 35 days vs. 350 days) than doing it in-house would take.
The company can now work directly with card data, without storing it in-house, and have optimised payments by breaking lock-in to one PSP.
Closing thoughts
The path to PCI compliance is daunting, but it no longer needs to be. By outsourcing compliance to PCI-focused vendors, fintech start-ups and established organisations alike can focus on their core business without the burden of data compliance and security weighing on them.