Hosted Payment Security ‘Up to 50% Cheaper’ Than In-house Solution

Implementing a hosted payment security solution can cost 50% less than an in-house version, according to a new whitepaper by payment services firm CyberSource. The whitepaper outlines four steps in planning a payment security strategy.

Following the establishment of Payment Card Industry Data Security Standard (PCI DSS) in 2004, which gave a minimum standard of security for merchants and created an additional level of protection for card users, merchants are still struggling to meet compliance requirements.

In an interview with gtnews, Dr Akif Khan, director, products and services, CyberSource and co-author of the annual UK Online Fraud Report, said that merchants often found it difficult to decide between two potential approaches to secure the payment data in their systems: implement a hosted solution or an in-house version. “We have found that when merchants had settled on a particular approach, they often didn’t investigate fully the costs associated beyond the initial implementation phase. So we put together a model to help merchants understand the long-term cost implications of the two main approaches to securing payment data,” Khan said.

Four steps to take in planning a payment security strategy:

1. Scope: securing the full transaction lifecycle

All costs associated with securing data throughout the transaction lifecycle, from the point of acceptance through reconciliation and transaction storage, should be included in the analysis. This includes all systems, staff and processes affected by the flow of payment data in order to support the completion of a customer’s order.

2. Cost types

CyberSource recommends assessing and grouping the costs into three categories: personnel, technology and PCI compliance. Both direct hard costs (those quantifiable costs associated with staffing or procurement and maintenance of hardware and software), as well as soft costs, such as risk of breach and brand perception, need to be considered

3. Cost models: tracking the technology lifecycle

Distinct phases of the lifecycle need to be modelled:

  • Implementation – cost components specific to integrating technology, typically the first year of the project.
  • Operations/management – cost of operating and managing the solution. This also includes the cost of replacing outdated components with new and better versions of the technology, which typically takes place anytime between years two and five of the lifecycle.

4. Cost comparison: on-premises versus hosted

According to CyberSource, over a period of five years, the hosted approach is projected to cost about 50% less than the on-premises approach, most notably in the area of technology-related expense. Personnel costs remain the biggest expense, representing a higher percentage of the total cost for the hosted approach as compared to the in-house approach, but the personnel costs associated with a hosted approach are projected to be almost half the cost of those associated with an on-premises approach. The PCI certification cost remains a consistent percentage of the total cost across the two approaches and in all phases of the technology lifecycle. However, the absolute cost is higher for the on-premises approach.

Khan said that merchants needed to fully identify what processes were affected by PCI compliance. “PCI compliance and data security are not necessarily synonymous. Once they’ve identified all the touchpoints with their processes and where their payment data is, that gives them a good foundation on which to build when assessing the costs associated with the two different approaches.”

He continued: “If you are considering becoming PCI compliant, make sure that you take a structured approach to costing them out potential solutions over a multi-year period to make the decision that is right for your business. We would encourage all merchants to carry out this costing themselves so that they don’t make any hasty decisions based on upfront vendor fees, for example.”


Related reading