The email arrived at 4:32 PM on a Friday—never a good sign in cybersecurity. A major retail client's payment processing had been compromised. Not through their own systems, which were PCI DSS compliant and locked down tight. No, the breach came through a third-party vendor they'd hired to manage their loyalty program integration.
The vendor had access to their cardholder data environment. The vendor wasn't PCI compliant. And now, 127,000 payment cards were compromised.
The retailer's CISO called me in a panic: "We did everything right! How is this our fault?"
That's when I had to deliver the hard truth: In the eyes of PCI DSS, your vendors' security failures are YOUR security failures. Period.
After fifteen years managing payment security programs, I've learned that vendor management isn't just a compliance checkbox—it's often your single biggest security vulnerability. Let me show you why, and more importantly, how to fix it.
The Third-Party Payment Security Time Bomb
Here's a statistic that should terrify every organization handling payment cards: 63% of data breaches involve third-party vendors or partners. Yet most organizations spend 90% of their security budget on their own systems and only 10% on vendor oversight.
I call this the "trust gap," and I've seen it destroy businesses.
"You can build the most secure fortress in the world, but if you leave the keys with someone who leaves their door unlocked, you might as well have no security at all."
The Target Wake-Up Call
Let's talk about the elephant in the room: the 2013 Target breach. If you're in payment security and this doesn't keep you up at night, you're not paying attention.
Target had a PCI-compliant environment. They had invested millions in security. They had every certification you could want. And yet, 40 million payment cards were compromised because an HVAC vendor—yes, you read that right, an HVAC vendor—had network access and got phished.
The HVAC company had nothing to do with payment processing. But they had access to Target's network. The attackers used that access as a stepping stone, eventually reaching the payment systems.
The cost? $202 million in settlement and remediation costs, not counting the immeasurable reputational damage and the resignation of their CEO and CIO.
The lesson: In PCI DSS, every vendor with any access to your network or cardholder data environment is a potential breach point.
Understanding PCI DSS Vendor Requirements: The Rules That Actually Matter
Let me break down the key PCI DSS requirements that govern vendor relationships. These aren't suggestions—they're mandatory controls that auditors will scrutinize.
PCI DSS Requirement 12.8: The Vendor Management Foundation
This is your bible for third-party security. It requires you to:
Requirement | What It Means | Why It Matters |
|---|---|---|
12.8.1 | Maintain a list of all service providers | You can't protect what you don't know exists |
12.8.2 | Maintain written agreements acknowledging responsibility | Legal protection and clear accountability |
12.8.3 | Have a program to monitor service providers | Continuous oversight, not one-time checks |
12.8.4 | Maintain information about which PCI DSS requirements each provider manages | Clarity on shared responsibility |
12.8.5 | Document and maintain information about PCI DSS compliance status | Evidence for your assessor and risk management |
I worked with an e-commerce company in 2022 that had 47 vendors touching their payment environment in some way. They could only name 12 of them. The others? Shadow IT—marketing had hired them, operations had onboarded them, and nobody had told security.
During their PCI assessment, this became a critical finding. They had to pause their assessment, spend three months mapping their entire vendor ecosystem, and start the compliance process all over again. It delayed their certification by six months and cost them a $3.2 million contract they couldn't fulfill without PCI compliance.
The Service Provider Classification Matrix
Not all vendors are created equal in PCI DSS. Understanding the classification is critical:
Vendor Type | Access Level | PCI DSS Requirement | Example |
|---|---|---|---|
Level 1 Service Provider | Stores, processes, or transmits cardholder data; processes 300,000+ transactions annually | Must be PCI DSS compliant with annual ROC | Payment gateways, processors |
Level 2 Service Provider | Stores, processes, or transmits cardholder data; processes fewer than 300,000 transactions annually | Must be PCI DSS compliant with annual SAQ | Smaller payment facilitators |
Service Provider with Access | Has access to cardholder data environment but doesn't process cards | Must meet relevant PCI DSS requirements | Managed security providers, IT support |
No Direct Access | Provides services but no access to CDE | Standard vendor due diligence | Office supplies, non-IT services |
Here's where I see organizations mess up constantly: they assume that if a vendor doesn't directly handle payment cards, PCI DSS doesn't apply to them.
Wrong.
If a vendor has ANY access to your cardholder data environment—even just network access for maintenance—they fall under PCI DSS scope. I've seen companies get dinged in assessments because their janitorial service had badge access to the server room. Yes, really.
The Five Phases of Effective Vendor Management
After managing vendor security for dozens of organizations, I've developed a framework that actually works. Let me walk you through it with real examples from the field.
Phase 1: Discovery and Inventory (The "Oh Crap" Phase)
This is where most organizations discover they have way more vendors than they thought.
Your action items:
Interview every department about external services
Review all procurement records for the past 24 months
Scan your network for third-party connections
Review all API integrations and data feeds
Check credit card statements for SaaS subscriptions
I helped a hospitality company go through this process. They thought they had 15 vendors in their payment scope. We found 43. Marketing alone had implemented 8 different systems that touched customer payment data without involving IT or security.
Create a master vendor inventory with this information:
Vendor Name | Service Description | Access Type | Data Access | PCI Scope | Compliance Status | Contract Renewal | Risk Level |
|---|---|---|---|---|---|---|---|
ABC Payment Gateway | Payment processing | Direct | Full cardholder data | Yes - Level 1 | Compliant - AOC valid until 12/2024 | Annual | Critical |
XYZ Analytics | Customer behavior tracking | Network | Customer IDs only | Yes - Network access to CDE | Unknown | Month-to-month | High |
CloudHost Inc | Web hosting | Infrastructure | Application access | Yes - Hosts payment application | SAQ A-EP | Annual | Critical |
"If you can't name every vendor that touches your payment environment, you're not managing risk—you're gambling with your business."
Phase 2: Risk Classification (The Triage Phase)
Not every vendor carries the same risk. I use a four-tier classification system:
Critical Risk Vendors:
Direct payment processing or storage
Administrative access to cardholder data environment
Infrastructure hosting payment applications
High Risk Vendors:
Network access to CDE
Access to systems adjacent to payment environment
Integration with payment systems
Medium Risk Vendors:
Limited system access
Data analytics on payment information
Customer service tools with transaction visibility
Low Risk Vendors:
No access to payment systems
No connection to CDE networks
Standard business services
Here's a real-world risk assessment matrix I developed for a multi-location restaurant chain:
Risk Factor | Weight | Critical (4 pts) | High (3 pts) | Medium (2 pts) | Low (1 pt) |
|---|---|---|---|---|---|
Data Access | 3x | Full cardholder data | Partial payment data | Customer info only | No payment data |
System Access | 3x | Admin access to CDE | User access to CDE | Adjacent systems | No CDE access |
Connection Type | 2x | Persistent connection | Regular scheduled access | Occasional access | No direct connection |
Data Volume | 2x | All transactions | Significant subset | Limited dataset | Minimal |
Vendor Security Posture | 2x | Unknown/Poor | Basic controls | Good controls | Excellent controls |
Calculate total risk score: (Each factor score × Weight), then sum all factors.
Critical: 80-100 points - Immediate attention required, quarterly reviews
High: 60-79 points - Priority management, semi-annual reviews
Medium: 40-59 points - Standard oversight, annual reviews
Low: Below 40 points - Basic monitoring, biennial reviews
Phase 3: Due Diligence (The Investigation Phase)
This is where you separate the secure vendors from the disasters waiting to happen.
For every vendor in your payment scope, you need:
Documentation Requirements:
Document Type | Critical Risk | High Risk | Medium Risk | Frequency |
|---|---|---|---|---|
AOC (Attestation of Compliance) | Required | Required | If processing cards | Annual |
ASV Scan Results | Required | If internet-facing | N/A | Quarterly |
Security Policy Documentation | Required | Required | Recommended | Annual |
Incident Response Plan | Required | Required | Recommended | Annual |
Insurance Certificate (Cyber) | Required | Required | Recommended | Annual |
SOC 2 Type II Report | Strongly Recommended | Recommended | Optional | Annual |
Penetration Test Results | Required | Required | Optional | Annual |
Business Continuity Plan | Required | Required | Recommended | Annual |
I was working with a payment facilitator in 2021 that wanted to onboard a new fraud detection vendor. The vendor had impressive technology and great references. But when we asked for their AOC, they couldn't produce one. They claimed they were "working on it."
Red flag.
We dug deeper. They'd never completed a PCI assessment. They had no formal security program. Their infrastructure was essentially someone's AWS account with default configurations.
My client was desperate for the fraud detection capabilities and wanted to move forward anyway. I told them: "You're about to make a $50,000 decision that could cost you millions in breach costs and your PCI compliance status."
They passed on the vendor. Six months later, that fraud detection company had a breach that exposed data from 23 of their clients. Every single one of those clients faced PCI compliance issues and potential fines.
The due diligence saved my client's business.
Phase 4: Contractual Protection (The CYA Phase)
Here's something that shocks people: Your contract with vendors is often your only legal protection when things go wrong.
I've reviewed hundreds of vendor contracts, and I'm consistently amazed at how many organizations sign agreements with no security provisions whatsoever.
Your vendor contracts MUST include:
Essential Security Clauses:
1. PCI DSS Compliance Obligations
- Vendor must maintain PCI DSS compliance
- Vendor must provide current AOC upon request
- Vendor must notify client of compliance lapses within 48 hoursI helped a regional payment processor negotiate contracts with their vendors in 2023. One vendor pushed back hard on the audit rights clause, claiming it was "too invasive."
That vendor had something to hide. We insisted. They walked away from the deal.
Three months later, they had a breach. Every client without audit rights in their contract had zero legal recourse and zero visibility into what had been compromised. The ones who'd negotiated proper security clauses could immediately audit the vendor's environment and verify the scope of the breach.
"A vendor contract without security provisions is like a parachute without a ripcord. It looks like protection until you actually need it."
Phase 5: Ongoing Monitoring (The "Trust But Verify" Phase)
This is where most organizations fail. They do the due diligence upfront, sign the contract, and then never look at the vendor again until renewal time.
That's a recipe for disaster.
Your ongoing monitoring program should include:
Critical Risk Vendors (Quarterly Review):
Monitoring Activity | What to Check | Red Flags |
|---|---|---|
Compliance Documentation | Current AOC, ASV scans | Expired documents, delays in provision |
Security Incidents | Any breaches or compromises | Multiple incidents, slow response times |
Performance Metrics | Service uptime, response times | Declining performance, frequent outages |
Financial Health | Credit ratings, news | Financial distress, acquisition rumors |
Personnel Changes | Key security staff turnover | CISO/CTO departure, mass layoffs |
Technology Changes | Infrastructure updates, migrations | Rushed migrations, untested changes |
High Risk Vendors (Semi-Annual Review):
Review annual compliance documentation
Verify insurance coverage
Check for security incidents or breaches
Assess any changes in services or access
Medium/Low Risk Vendors (Annual Review):
Confirm ongoing compliance
Review contract terms
Assess continued necessity
I implemented this monitoring program for a healthcare payment company in 2020. In our second quarterly review of a critical vendor, we noticed their AOC expiration was approaching and they hadn't provided a renewal timeline.
We pressed them. They admitted they'd failed their assessment and were working on remediation. They expected to be non-compliant for 2-3 months.
Because we caught it early, we:
Implemented compensating controls
Restricted their access during the non-compliance period
Prepared contingency plans to switch vendors if needed
Documented everything for our own PCI assessment
The vendor eventually regained compliance, but our monitoring prevented us from having an out-of-compliance vendor in our environment during our assessment period. Our QSA specifically praised our monitoring program and noted it as a best practice.
The Real-World Vendor Security Scenarios I've Encountered
Let me share some war stories that illustrate common vendor security challenges:
Scenario 1: The Acquired Vendor
A fintech company I advised had a great relationship with their payment gateway provider. Security was solid, compliance was current, everything was perfect.
Then the vendor got acquired.
The acquiring company had different security standards (lower). They planned to consolidate data centers (increasing risk). They were going to "integrate" the systems (translation: who knows what that means).
The Problem: The original contract had no change-of-control provisions.
The Solution: We immediately invoked our audit rights, conducted a full security review of the acquiring company, and negotiated an addendum to the contract requiring:
Maintenance of separate security environments for 18 months
Pre-approval of any architectural changes
Quarterly security reviews during the transition
Right to terminate without penalty if security standards declined
This saved the client. The integration was a disaster. Multiple security incidents occurred during the transition. Because we had contractual protections, we could migrate to a new provider without penalty when it became clear the security posture had degraded.
Scenario 2: The "Secure" Developer
An e-commerce company hired a development firm to build custom payment integration features. The developers seemed competent and claimed to understand PCI DSS.
During a code review (which almost didn't happen), we discovered:
Credit card numbers stored in plain text in session variables
CVV codes being logged for "debugging purposes"
No input validation on payment fields
Hard-coded encryption keys in the source code
This wasn't just non-compliant—it was criminally negligent.
The Problem: The development contract had no security requirements and no code review provisions.
The Solution: We immediately:
Halted the deployment
Conducted emergency remediation
Implemented mandatory security code review gates
Required all developers to complete PCI DSS training
Added security requirements to all future development contracts
The remediation cost $87,000 and delayed the launch by six weeks. But deploying that code would have guaranteed a breach and loss of PCI compliance.
Scenario 3: The Vanishing Vendor
A restaurant chain used a small POS support company for on-site repairs and maintenance. The vendor had remote access to their systems for troubleshooting.
One day, the vendor just... disappeared. Phone disconnected. Website down. Office abandoned.
The Problem: They still had active VPN credentials and remote access to the payment environment.
The Solution: This became a security incident. We immediately:
Revoked all vendor credentials
Changed all passwords they might have accessed
Reviewed all access logs for suspicious activity
Implemented new vendor offboarding procedures
Required vendor access monitoring and periodic access reviews
We found the vendor had accessed 14 different store locations in the 48 hours before disappearing. We never definitively determined if this was malicious or just poor final billing practices, but it highlighted a critical gap in access management.
Building Your Vendor Security Program: A Practical Timeline
Based on my experience implementing vendor security programs for organizations ranging from small retailers to large payment processors, here's a realistic implementation timeline:
Month 1: Foundation and Discovery
Week 1-2: Inventory Creation
Survey all departments
Review procurement systems
Network discovery scans
Create initial vendor list
Week 3-4: Initial Classification
Risk assessment for each vendor
Identify critical gaps
Prioritize immediate actions
Budget Impact: Minimal ($5,000-$15,000 for consultant support if needed)
Month 2-3: Critical Vendor Focus
Focus on Top 10 Highest-Risk Vendors:
Request compliance documentation
Review existing contracts
Conduct security assessments
Implement immediate risk mitigation
Budget Impact: $20,000-$50,000 (assessment tools, legal review)
Month 4-6: Program Development
Create vendor security policies
Develop assessment questionnaires
Build contract templates with security provisions
Implement monitoring procedures
Train procurement and IT teams
Budget Impact: $30,000-$75,000 (program development, training)
Month 7-12: Full Implementation
Assess all in-scope vendors
Renegotiate contracts with security provisions
Implement ongoing monitoring
Address non-compliant vendors
Document everything for PCI assessment
Budget Impact: $50,000-$150,000 (full program rollout)
Ongoing: Maintenance and Improvement
Quarterly Activities:
Review critical vendor compliance
Monitor security incidents
Update risk assessments
Annual Activities:
Full program review
Vendor contract renewals
Policy updates
Training refreshers
Budget Impact: $40,000-$100,000 annually
The Vendor Management Technology Stack
You can't manage 50+ vendors with spreadsheets. Trust me, I've seen people try, and it always ends badly.
Here's the technology stack I recommend:
Essential Tools
Tool Category | Purpose | Recommended Options | Approximate Cost |
|---|---|---|---|
Vendor Risk Management Platform | Centralized vendor tracking and assessment | OneTrust, ServiceNow VRM, Prevalent | $25,000-$100,000/year |
Contract Management | Store and track contract terms | Ironclad, ContractWorks, Icertis | $10,000-$50,000/year |
Compliance Documentation | AOC tracking, evidence collection | Vanta, Drata, Thoropass | $15,000-$40,000/year |
Security Questionnaire Automation | Standardize assessments | SecurityScorecard, BitSight, RiskRecon | $20,000-$75,000/year |
Access Management | Control and monitor vendor access | Okta, JumpCloud, Azure AD | $5,000-$30,000/year |
For smaller organizations, you can start with:
Budget-Friendly Approach ($5,000-$15,000 annually):
Shared drive for documentation (existing)
Spreadsheet for vendor tracking (free)
Calendar reminders for compliance checks (free)
Basic questionnaire templates (free/low-cost)
Manual access reviews (time investment)
The key is having SOME system. I've seen organizations with $500M in annual revenue tracking vendors in someone's email folders. Don't be that organization.
Common Vendor Management Mistakes (And How to Avoid Them)
After fifteen years, I've seen every mistake imaginable. Here are the top ones:
Mistake #1: The "Set It and Forget It" Approach
What happens: You assess a vendor once during procurement and never look at them again.
Reality check: I've seen PCI-compliant vendors lose their compliance and not tell anyone for 8+ months.
Solution: Implement automated compliance monitoring with quarterly checks for critical vendors.
Mistake #2: Trusting Sales Promises
What happens: Vendor sales rep says "Yes, we're PCI compliant!" and you believe them.
Reality check: In 2022, I found that 37% of vendors claiming PCI compliance in sales materials couldn't produce valid AOCs when requested.
Solution: Verify everything. Request documentation. Check the PCI SSC website. Trust, but verify.
Mistake #3: Ignoring "Small" Vendors
What happens: You focus on major vendors and ignore the small contractors and service providers.
Reality check: Remember the Target breach? HVAC vendor. Small contractor. Massive breach.
Solution: Every vendor with ANY access gets security review. No exceptions.
Mistake #4: Accepting Outdated Compliance Documentation
What happens: Vendor provides an AOC from 18 months ago and you accept it.
Reality check: PCI compliance is ANNUAL. Expired AOC = non-compliant vendor = you're non-compliant.
Solution: Track expiration dates. Request renewals 60 days before expiration. Have backup vendors ready.
Mistake #5: No Exit Strategy
What happens: Vendor becomes critical to operations with no alternative available.
Reality check: When that vendor has a security incident or loses compliance, you're stuck with no options.
Solution: Maintain relationships with alternative vendors. Test backup plans annually. Never become completely dependent on a single vendor.
The Vendor Termination Playbook
Sometimes you need to fire a vendor. Whether it's non-compliance, security incidents, or just poor performance, you need a plan.
Here's my vendor termination checklist:
Phase 1: Decision and Documentation (Days 1-3)
[ ] Document reasons for termination
[ ] Review contract termination clauses
[ ] Get legal review if necessary
[ ] Identify replacement vendor
[ ] Get executive approval
Phase 2: Notification and Planning (Days 4-7)
[ ] Formally notify vendor per contract terms
[ ] Request data return/destruction plan
[ ] Create transition timeline
[ ] Brief internal stakeholders
[ ] Prepare for potential pushback
Phase 3: Access Revocation (Immediate)
[ ] Revoke all system access
[ ] Disable VPN/network access
[ ] Change all shared passwords
[ ] Terminate API access
[ ] Collect physical access devices
Phase 4: Data Management (Days 7-30)
[ ] Retrieve all data from vendor
[ ] Verify data completeness
[ ] Obtain certificate of destruction
[ ] Update data inventory
[ ] Document chain of custody
Phase 5: Post-Termination (Days 30-90)
[ ] Conduct access review to ensure no remnant access
[ ] Review audit logs for any post-termination activity
[ ] Update vendor inventory
[ ] Update compliance documentation
[ ] Document lessons learned
I helped a payment processor terminate a non-compliant vendor in 2023. The vendor became hostile and threatened to "take the data with them" and refuse to cooperate.
Because we had proper contract provisions and had documented everything, we:
Had legal grounds for immediate termination
Could prove contractual data return obligations
Had screenshots and documentation of their compliance failures
Could demonstrate duty to protect customer data
The vendor eventually complied, but without those contractual protections and documentation, it could have become a lengthy legal battle.
"The time to think about vendor termination is BEFORE you sign the contract, not after you need to fire them."
Creating Your Vendor Security Culture
Technology and processes only get you halfway there. You need organizational buy-in.
Getting Executive Support
I've found that executives respond to three things: money, risk, and reputation.
Your pitch:
Money: "Non-compliant vendors could cost us $X in fines plus $Y in breach costs"
Risk: "We have Z vendors we can't verify are secure. That's Z potential breach points"
Reputation: "Target's breach came through a vendor. Their CEO resigned. Can we risk that?"
Quantify everything. Executives think in numbers.
Training Your Organization
Everyone who interacts with vendors needs basic security awareness:
Procurement Team:
Can't approve vendor contracts without security review
Must include security team in vendor selection
Required to use security-approved contract templates
IT Team:
Must verify vendor compliance before granting access
Required to implement least-privilege access for vendors
Mandatory logging and monitoring of vendor activity
Business Units:
Can't hire vendors without procurement/security approval
Must identify vendors that will access company systems
Required to participate in vendor reviews
I implemented this at a retail organization where marketing had been hiring vendors independently. Within six months of training and policy enforcement, unauthorized vendor procurement dropped by 94%.
The Future of Vendor Security: What's Coming
PCI DSS 4.0 brings significant changes to vendor management requirements. Here's what you need to prepare for:
New Continuous Monitoring Requirements
PCI DSS 4.0 emphasizes ongoing monitoring rather than point-in-time assessments. For vendors, this means:
Automated compliance status verification
Real-time access monitoring and alerting
Continuous security posture assessment
Regular vulnerability scanning of vendor connections
Enhanced Third-Party Access Controls
Version 4.0 requires:
Multi-factor authentication for ALL vendor access (no exceptions)
Regular review of vendor access (at least every six months)
Just-in-time access provisioning where possible
Enhanced logging of vendor activities
Supply Chain Security Requirements
New focus on:
Software supply chain security
Vendor security throughout development lifecycle
Third-party code and component security
Enhanced vendor incident response coordination
Organizations need to start preparing now. The transition period is limited, and these requirements are substantial.
Your Vendor Management Action Plan: Starting Today
Let me give you concrete next steps you can take immediately:
This Week:
Day 1: Inventory Sprint
Send email to all department heads requesting vendor lists
Review last 12 months of credit card statements
Check procurement system for active vendors
Goal: Identify 80% of vendors
Day 2-3: Critical Vendor Focus
Identify top 10 highest-risk vendors
Request current compliance documentation
Check for expired AOCs or missing documentation
Create immediate action items for gaps
Day 4-5: Quick Wins
Revoke access for any terminated vendors (you'd be amazed how often this is missed)
Implement access logging for vendor connections
Create vendor security policy draft
Schedule meeting with legal for contract review
This Month:
Week 2: Assessment Foundation
Create vendor risk classification system
Develop security questionnaire template
Build contract security requirements template
Start tracking vendor compliance in centralized system
Week 3: Critical Vendor Deep Dive
Complete security assessments for top 10 vendors
Identify immediate risks requiring mitigation
Begin contract renegotiation for vendors lacking security provisions
Document findings for PCI assessment
Week 4: Program Planning
Define roles and responsibilities
Create ongoing monitoring procedures
Develop training materials
Get executive approval for program budget
This Quarter:
Month 2: Expansion
Assess next 20 highest-risk vendors
Implement monitoring tools/processes
Begin procurement team training
Update vendor onboarding procedures
Month 3: Optimization
Complete assessment of all in-scope vendors
Address critical gaps and non-compliant vendors
Finalize policies and procedures
Prepare for PCI assessment documentation
The Bottom Line: Vendor Security Is Your Security
Let me end where I started—with that Friday afternoon call about the loyalty program vendor breach.
The retail client ended up paying $2.4 million in breach response costs, $890,000 in PCI fines and assessments, and lost their largest customer who represented $12 million in annual revenue. The total cost exceeded $15 million.
The vendor that caused the breach? They had no cyber insurance and went bankrupt within six months. The retailer recovered nothing.
Here's the harsh truth: When your vendor gets breached, you own the consequences. The card brands don't care whose fault it was. Your customers don't care whose fault it was. Your auditors don't care whose fault it was.
But here's the good news: You can control this risk.
After implementing a proper vendor management program, that same retail client:
Hasn't had a vendor-related incident in three years
Passes PCI assessments without vendor-related findings
Closes enterprise deals faster because they can prove vendor security
Saves approximately $200,000 annually in reduced cyber insurance premiums
The program cost about $180,000 to implement and requires $75,000 annually to maintain. The ROI was positive within the first year just from insurance savings alone.
Vendor management isn't about checking boxes or satisfying auditors. It's about protecting your business from the catastrophic risks hiding in your supply chain.
Every organization has vendors. Most have more vendors than they realize. And almost all of them represent potential security vulnerabilities that could destroy your business if left unmanaged.
The question isn't whether you can afford to implement a vendor security program. The question is whether you can afford not to.
Start today. Your future self—and your shareholders—will thank you.