Ways Risk Is Inherited in Client Environments PCI compliance is shared because the risks are shared. One of the best ways for third-party advisors to reduce their exposure is by reviewing client environments for PCI weak points they might inherit, the most common of which include: Poor access hygiene: Issues with admin credentials, weak passwords, etc., can expose sensitive systems that might be connected to cardholder data. Network caps: Network segmentation can be used to reduce PCI scope, but, done poorly, it can have the contrary impact. Gaps in networks and segmentation are often inherited from client environments and can quickly open pathways to security and regulatory risks. Inherited infrastructure: It doesn’t matter if application and hardware vulnerabilities predate a channel’s integration with the client environment. That inherited infrastructure comes with risks and responsibilities that the channel must contend with to comply with PCI DSS. Cloud confusion: Cloud security is another area governed by a shared responsibility model and often overlaps with PCI compliance. If these responsibilities aren’t clear, it can result in insufficiently protected data and compliance risks as a result. Documentation and visibility problems: A vital part of shared responsibility is visibility. The problem is that clients do not always have up-todate inventories to reference. This can leave outside advisors exposed to risks that they don’t even know about, which in turn causes complications if an audit is ever called for. Shared Responsibility and Third-Party Dependencies PCI responsibility begins with the merchant. It’s their responsibility to define the scope, validate compliance and choose third-party providers that fit regulatory demands. The next layer is the payment processors and platforms. They’re required to provide PCI-validated payment applications and services. Finally, we get to the channel partners. Every way in which a merchant or payment provider depends on channel partners expands the PCI scope. This dependency is where risk is inherited. Similarly, any way in which a thirdparty’s system impacts cardholder data, be it via networks, SaaS integrations, etc., is required to be secured according to PCI guidelines. The Cost of Getting It Wrong PCI DSS financial penalties can cost businesses up to $1.2 million per year. Poor compliance can also cause ruptured client relationships and lower perceived trustworthiness. Worse than compliance failure alone is if the failure is caught because of a security incident. Investigations and reviews are often lengthy and require significant staff and legal resources. If the incident led to a data breach, there’s the expense of data recovery, liability claims and all the reputational losses that come with that as well. In short, inherited PCI DSS risk is something worth taking seriously. The cost of not doing so is simply too high. A Practical Playbook for Partners Inherited risk isn’t what costs channel partners as much as unmanaged risk does. The best way to mitigate PCI problems is to tackle the issue as soon as a new client environment is engaged. Here’s how to do that, no matter the size of your business: • Before any access is granted or systems integrated, clarify the landscape of the client environment, its networks and the systems connected to it. • Clean up an access weakness and remove access wherever it isn’t necessary. This is one of the most efficient and cost-effective ways to limit inherited risk. • Document how your channel will interact with the client environment to see where their PCI scope will become yours. • Validate everything. Don’t assume that segmentation exists as it should or that sensitive data is stored appropriately. • Build risk management into the client relationship. This includes having regular maintenance checks and updating on any system changes. • Define how “shared responsibility” will operate in practical, clear terms. The more detailed, the better. The key is proactiveness. Prioritizing visibility, strong access hygiene and validation processes force PCI risks out of hiding early and allow channel partners to address any inherited weakness long before they escalate. o Chris Brown is a senior cybersecurity and product marketing leader at VikingCloud. Source: ABBYY 9-Step PCI Compliance Checklist Source: SecureTrust by VikingCloud The Cost of Security Incidents Source: Netwrix How AI is Impacting Security Postures Source: Netwrix N/A. We have not done anything in particular to improve the outputs of AI tools 2% Install a firewall and VPN Monitor and track user access requests Encrypt data while at rest and in transit Establish a foolproof update schedule Restrict cardholder data with strong password and multi-factor authentication Physically secure any premises where cardholder data is stored Run penetration tests and vulnerability scans Be clear on security policies and keep personnel up to speed Use up-to-date antivirus and anti-malware software to prevent threats 1. 6. 7. 8. 9. 2. 3. 4. 5. 2025 2024 2023 Perceived Fitness for High-Stakes Work 25% 40% 47% 31% 26% 20% 17% 17% 17% 14% 10% 10% 13% 7% 6% New threats: AI-driven threats have forced us to adjust our security approach New attack surface: Business uses AI, we have to protect our organization New compliance requirements: Auditors require proof of data security and privacy in AI-based systems Stronger defenses: Cybersecurity AI tools improved detection and response capabilities Not sure / too early to tell Time and effort savings: Offloaded some workload from our IT/security team to AI We implemented cybersecurity AI tools and are still assessing their impact We have not implemented AI tools, but we are considering them We have not implemented AI tools, and we don’t plan to 37% 30% 29% 28% 23% 20% 19% 30% 9% 10% 20% 30% 40% 50% 60% 70% 24 CHANNELVISION | WINTER 2026
RkJQdWJsaXNoZXIy NTg4Njc=