If you’re reading this blog, you already know what PCI is. Chances are, you also have some inclination that it’s a pain in the you-know-what too. Just how severe that pain can be is something else altogether.
“One of the big headaches around payment is PCI compliance; it’s a huge challenge.” - Tony La, CTO, Honk.
The CTO of Honk, Tony La, for example, initially had his team build their own PCI-compliant infrastructure and managed the audit process in-house, only to find maintenance taking an excessive amount of time, energy, and focus that could have been spent on the core business. Tony decided to outsource their PCI for ongoing savings (and more) - despite having made it through the initial slog of a DIY build and audit.
DIY PCI: What Does it Take?
What does it take to build and maintain PCI-compliant infrastructure and go through the audit process in-house? Going the DIY route for PCI DSS Level 1 compliance is a painstaking 9-12 month process that easily costs $1.1MM upfront. Yearly upkeep is around $250K, continuing indefinitely, as ongoing testing and maintenance are vital to maintaining your compliance status. And these numbers don’t include the 2-3 FTE engineers in the first year and at least one half-time person on an ongoing basis. For Level 2, cut the costs, people hours, and time in half – still a significant amount of work.
The Benefits of Outsourcing PCI
“Our sensitive data is secure, and we’re PCI compliant with 10x less people and 5x more quickly than if we’d built our own solution.” -
Will Maier, CISO, Even
There are several benefits to outsourcing your PCI versus building DIY in-house PCI solutions. The financial cost-savings with a solution like VGS are significant. So too are the time-savings, allowing your team to focus on your product and growing your business. You can also decrease your risk of a data breach and provide a better onboarding solution for customers.
For many fintechs, one of the most exciting benefits of outsourcing PCI is the ability to get to market faster with new products and services. The following five fintechs were looking to do just that when they approached VGS.
#1 Brex lets companies manage their finances and scale faster with Card, Cash, and controls in one account. Henrique Dubugras, CEO and Co-Founder of Brex, is an engineer who previously co-founded Pagar.me, one of the largest payment processors in Brazil. He shared with VGS, “At our core, we are built on the principle of empowering entrepreneurship and allowing companies to focus on what they do best.”
It’s that principle of allowing companies to focus on what they do best that overlaps perfectly with the outsourcing mindset. When asked how they approached PCI compliance, Henrique shared that in his time at pagar.me, “One of the biggest lessons I learned was how much effort was involved in achieving PCI compliance. It took us more than a year, countless man-hours, and a significant amount of pain. So when we began formulating the idea for Brex, we strategized how to build a fintech company, with best-in-class security, but without having to spend months to reach PCI compliance.”
He continued, “From the beginning, Brex has had aggressive plans, and we knew that to achieve our goals, we needed to build quickly. Offloading the bulk of our PCI and security responsibility to VGS has really enabled us to move faster. It’s incredible to think, but Brex was founded in late 2017, and we only launched our first card in June 2018. Without VGS, we would not have been able to grow as quickly as we have since then.” He also shared, “I know that more scope equals more time to market. Brex has an ambitious roadmap, and it’s reassuring to know that with each new product, compliance does not have to be our primary concern.” And, “The real benefit for us, again, is speed to market.”
#2 Stilt is a mission-driven fintech company that provides financial services to immigrants and the underserved. They build products to improve financial inclusion and democratize access to credit. By outsourcing PCI, they launched a new product 80% quicker than if they went the DIY route. Priyank Singh, Founder of Stilt, said, “With VGS, we were able to get running on the platform and become PCI level 2 compliant in less than a week, with very little effort on our part.”
#3 Paytient is on a mission to eliminate cost as a barrier to care. As an employer-sponsored payment platform for employees' medical expenses, they “have to build and deploy highly secure products in not just one, but two highly regulated markets: finance and healthcare. On top of that, we have to do so rapidly,” shared Brian Whorley, CEO and founder of Paytient. He went on to explain that, for them, VGS’s Zero Data approach “has meant not having to make a false choice between security or speed - we can do both. Built the right way from early on using VGS, we’re able to commence enterprise-grade procurement processes with the confidence of a fully compliant stack - whether that is PCI Level 1 or 2 and SOC Type 1 or Type 2.”
When asked how he quantified the benefit of outsourcing PCI to VGS, Brian said, “Our eyes are always on what’s over the horizon, so the benefit is probably best framed in opportunity capture. VGS has allowed us to build a better product faster, definitely at a lower cost, and has also allowed us to create and define the bar for our category. We know the product we are building is secure, and we can dedicate less resources toward cumbersome compliance issues – which has enabled us to focus on continuing our growth and better helping our users.”
Calculate Your PCI Costs
At this point, you may be wondering what your savings could be if you outsource PCI compliance. Try this handy PCI Cost Calculator to find out!