Practical Ecommerce

Survey Results: PCI Standards Helpful, Confusing and Necessary

Our January 2010 reader survey addressed PCI compliance, the self-regulatory attempt by the credit card associations (Visa, MasterCard, American Express, Discover and JCB (Japan Credit Bureau)) to protect consumers’ credit card information.

The credit card associations say that any company that collects credit card payments from their customers must comply with the new standards. The level of compliance increases with larger companies. Smaller companies can comply with a self-questionnaire, in many cases. Virtually all ecommerce merchants must comply in some fashion.

No responsible merchant doubts the necessity of protecting consumers’ credit card data. But many merchants are confused by the new standards and they wonder about their effectiveness.

Our January 2010 reader survey asks about this. The survey consisted of four questions and a comment section below each question. Readers who completed the survey and then provided us with their name and email address were automatically entered in a contest to win a $25 Amazon gift certificate. The contest winner, chosen by a random number generator, was Staci Schipporeit.

Partial screenshot of January 2010 reader survey.

Partial screenshot of January 2010 reader survey.

Types of Businesses

Fifty-one readers completed the survey. Question four asked, “Which best describes you or your business?” and the responses were:

  • Ecommerce company: 39.2 percent
  • Developer, designer or programmer: 21.6 percent
  • Software, SaaS or other vendor: 19.6 percent
  • Other: 19.6 percent

Do the Standards Help?

Question one of the survey asked, “PCI standards represent the credit card industry’s attempt to self-regulate the storage and protection of credit card data. Which statement below best summarizes your view of these standards?” The responses were:

  • Helpful and necessary: 37.8 percent
  • Confusing and a waste of money: 33.3 percent
  • Other: 29.4 percent

Selected comments to this question are listed below.

“It’s an attempt at making things more secure, but its implementation is causing more confusion and resentment than it’s helping for SMBs.”

“Yeah it is very useful to us.”

“Even if the PCI Council’s aim is in the right direction, there’s so much confusion about the PA-DSS requirements for open source shopping carts that there is definitely a lot of money that will be wasted. Unfortunately it will be the merchants money.”

“It is helpful and necessary, the only problem is that the standard is international and most countries with a low security vision, don’t take it as seriously as the U.S. or Europe.”

“Standards? Have several companies test a site for compliance and you’ll not get two reports that are the same.”

“In everyone’s best interested to have a standardized set of best practices. Since credit card companies bear the brunt of the expense to monitor fraud, the privilege of setting standards is theirs.”

“Confusing, maybe helpful.”

“A waste of time and money, but not confusing. I do not feel the need for penetration-testing, nor many of the other principles and controls inherent in PCI DSS as it stands today.”

“Necessary – yes! Confusing – yes! PCI compliancy has become worryingly complicated. I’ve spoken to a former colleague who felt like he was wading through treacle to get through the lengthy documentation. I worry that a lack of clarity and conciseness in the way the regulations are conveyed may intimidate developers.”

“Probably necessary but VERY confusing!”

“As a retail organization, it is our responsibility to keep our customer’s data safe.”

“Helpful and necessary / Confusing and a waste of money. Necessary to help secure transactions and keep fly by night companies from spring up. Yes it is confusing, no clear cut instructions, seems like another way for merchant providers to make more money.”

“Do not push the cost and effort of protecting your unsecure system on to me.”

“Necessary to a point. Obviously merchants are concerned with protecting credit card data. However, PCI compliance/certification is difficult for small businesses and expensive. Also, the requirement to background-check all employees of the company is totally ridiculous. We are a small company with loyal employees. I find it offensive to be told I must background-check them. Background checks are just a CYA in my opinion. Many ‘offenders’ of all kinds have perfectly clean background records and then commit horrors.”

“The requirements and the intent of the requirements is not always clear. Different QSAs interpret the requirements differently.”

“Confusing, a waste of money but necessary. Problem for me as a host – my dedicated server is as PCI compliant as I can make it but can’t be certified since I don’t physically own it. As a website owner, no one wants to change hosting or pay for new code to save $20 a month. Catch 22 – drive up costs for everyone- making it safer? Don’t know.”

“It gives McAfee and other scammers a way to take huge fees from small merchants for doing nothing useful. PCI also doesn’t address any of the major causes of financial loss, all of which are borne by the merchant anyway.”

“It is extremely important to enhance payment account data security. Self-regulation is a start.”

“Very confusing, but not necessarily a waste of money.”

“The main problem is that the industry itself has always sought to defer liability. In essence, all transactions can pass only cardholder data via the processor/gateway via their SSL. If this was not the case, there would be far less confusion. Vendors who met VISA software standards in the past see PA-DSS as another scam to create a vast new industry, and have largely been non-cooperative in forking out the initial $50-200K, though now there are signs that the acquirers are coming to their senses. Who is it that during the 2002 to 2007 period lost many millions of cardholders data? It was the big players? So the story is do as we say, not as we do. Of course, we need to be able to have safe secure commerce, and the average merchant needs to be accountable, but until there is a true cooperative effort toward both compliance and affordability and clarity I doubt cooperation will be forthcoming. CRE Secure (see orbital) and other hosted options will come to save the day, perhaps, and there are other interesting developments, but the majority of level 3-4 merchants feel out of the loop, and I can see the vultures circling. I take the whole matter quite seriously, and quite frankly, I should go without saying I think the process may end up in regulation, if cooperation does not take the place of liability deferment and self interest by the ones at the top of the ecommerce-food-chain.”

“Confusing and badly written, but the intent is good and it’s not a waste of money.”

“The idea is a good one and necessary, but implementation and monitoring are inconsistent and confusing.”

“Costs too much.”

“I work getting people PCI Compliant, and people are ALWAYS confused by the wording. Some of the questions are also repetitive.”

Will the Standards Actually Work?

Question two asked, “Will the PCI standards help keep consumers’ credit card information more secure?” The responses were:

  • Yes: 43.1 percent
  • No: 23.5 percent
  • Not sure: 33.3 percent

Comments to question two were:

“Definitely.”

“Yes, I think so. It will be more and more better and more useful to us.”

“It will depend upon how well it’s enforced. If the credit card companies take a heavy-handed approach they could botch things up even worse than the PCI Council has already done with their vague PA-DSS guidelines for open source shopping carts.”

“They do nothing to curb fraudulent card use in online stores. Asking customers to supply an email address for their online purchases would cover 99 percent of the cases since customers would automatically receive a receipt for any purchase giving immediate feedback for fraudulent use. PCI doesn’t cover anything like this.”

“PCI will never be the only or the best, it is the minimum rules to give the credit card users some trust that their information is secured.”

“No. Conscientious merchants will.”

“The PCI standards do not include a requirement for OWASP [Open Web Application Security Project] ESAPI rated at OWASP ASVS L3 or greater. Therefore, it will never help any consumers because 99.1 percent of breaches and 99.9 percent of records are stolen from online data, not end-user data.”

“Some not all.”

“Hopefully.”

“Self assessment. Give me a break.”

“If ecommerce companies become compliant, then yes, PCI standards will help keep consumers’ information secure. Nobody seems to know if the standards will be enforced strictly. Our merchant agreement required compliance since 2007. Nobody has come to us to warn us about non-compliance or threatened to levy any fines. If the PCI standards are not followed or not strictly enforced, then they are worthless.”

“Again, this is a ‘force the industry into something’ tactic. There is no visibility, at least not to merchants. I have no idea if the security will help or not, and no way to find out if the thousands of dollars we’ve spent upgrading and protecting is worth a dime.”

“Consumers provide their own huge security leaks, through bad practices. C/C companies also have policies that don’t make sense and actually reduce security–for example, permitting c/c numbers to be given over phone or fax but charging merchants extra for web-based transactions that are encrypted. Really, really stupid.”

“I would like to believe that PCI standards will help keep consumers’ credit card information more secure, however there is never a guarantee.”

“Like airport security, the PCI standards are the appearance of security without actually being secure. Most site break-ins are due to compromised passwords on virus-infected PCs, which the PCI standard is not going to fix (unless the council produces a 100 percent protection virus suite and requires all internet computers to use it). What’s the point of requiring complexity on the website itself when those with access to the website are the security hole?”

“Doing that form makes them think about it more. Especially when I explain what everything means and the seriousness of consequences from not being PCI compliant.”

Do You Understand the Standards?

Question three asked, “Do you understand the requirements of the PCI standards?” The responses were:

  • Yes: 68.6 percent
  • No: 11.8 percent
  • Other: 19.6 percent

Comments to question three were:

“More or less.”

“The PA-DSS requirements for open source shopping carts are completely unclear. It’s not acceptable that the PCI Council’s support for the open source communities to follow is non-existent. Want proof? Go to http://www.pcisecuritystandards.org and type in ‘open source’ (without the quotes) in the search box at the top of the page. Here’s the result you get: Nothing found while searching for: open source.”

“Yes and no. No two companies measure/test/evaluate standards the same way. How can any merchant understand when this is the case?”

“I haven’t read or looked into them yet.”

“I understand some of them.”

“Not entirely.”

“All I see are complicated technical requirements that work for ‘most’ ecommerce merchants (not us). Low barrier of entry and overhead is the attraction of ecommerce. This adds more cost and significant technical obstacles.”

“The PCI standards in their survey aren’t easily understandable if you are a small business without an IT staff. We consult with a local computer business and had to rely on them to tell us what many of the questions meant.”

“As far as compliance, they are complex beyond belief. It’s as if they emanated from the U.S Congress. Effort spent there must necessarily reduce effort spent on actual fraud reduction. I think the c/c companies just love this, as they make money off every fraudulent charge. It’s a real profit center for them. Thus, we have PCI.”

“I refer to the PCI Security Standards council website.”

“Hard to find clear information on the subject.”

“More or less, but some requirements are nearly impossible to meet, especially for small business. I think the best way for an ecommerce business to comply is to get the website ‘out of scope,’ so credit card information is not collected, stored or transmitted by the site. Those functions are offloaded to a PCI compliant vendor, who figures out compliance issues. This can be accomplished transparently so the shopper doesn’t sense they’ve gone ‘off-site.'”

Take the February Survey

Practical eCommerce’s February 2010 reader survey addresses social media and ecommerce merchants’ use of that medium. To complete the survey, and enter to win a $25 Amazon gift certificate, click here >.

Kate Monteith

Kate Monteith

Bio   •   RSS Feed


email-news-env

Sign up for our email newsletter