Practical Ecommerce

Where the PCI Security Council Goes Wrong

While conducting interviews with numerous PCI compliance experts for a series of articles on Practical eCommerce, one thing about PCI compliance has become clear. No one seems to be able to address the issue of enforcement. For example, if I’m a merchant who is found to be PCI non-compliant in some regard, what will happen to me when my lack of compliance is discovered? Will I lose my ability to accept credit cards? Will I be fined? If I am fined, then how much will that fine be?

In the absence of specific answers to those questions, speculation reigns. And a merchant who has worked hard to build his or her business does not like to be put in the position of having to speculate on that business’ future.

I spoke with Rick Wilson, executive vice president of shopping cart provider Miva Merchant, for this article. Wilson has studied the issue extensively and believes there are several areas in which the PCI Security Standards Council has gone wrong. They are areas that the council can still set straight. All of those areas can be grouped under one larger category: enforcement.

The Problem with Vagueness

Wilson says he understands the frustration felt by ecommerce merchants who don’t know how lax or severe enforcement of PCI compliance will be. “The decision, at least on our part, to

Rick Wilson

Rick Wilson

take PA-DSS and PCI compliance very seriously became a many hundreds of thousands of dollars decision…and we’re in that same boat [as merchants]. We have no idea where compliance is going to come down.”

As a result, Wilson says, merchants feel threatened and fearful. And where there is fear, there is an opportunity for someone to turn a profit in an unethical way.

Profiteering and Predatory Practices

Regarding the PCI Security Council, Wilson says, “I’d love to see them stop the predatory practices of a lot of these merchant account providers.”

What Wilson is referring to are so-called “PCI compliance fees” that are levied unnecessarily by certain merchant account providers. A merchant account provider has a right, even a duty perhaps, to suggest to a merchant that a particular company perform a scan of the merchant’s system to insure PCI compliance. But sometimes the merchant is already compliant.

“You can be with a no-brand ISO [Independent Sales Organization] and they say, ‘You’re not PCI compliant. You need to use our scan.’ And the customer can say, ‘Well hold on, I am PCI compliant. I’m using this level one service provider certified service.’ And they say, ‘But yeah, our requirement is this particular company.”

Paying a second time for PCI compliance scanning doesn’t actually do anything.

“It’s infuriating and I think the PCI Security Council should do something about that,” Wilson said.

What Changes to Make

PCI certification, in Wilson’s estimation, should be more objective.
“I should be able to go to Visa and MasterCard and submit my PCI certification and not have my merchant account company have any say in whether or not it’s valid. It’s either valid or it’s not. And that should be an objective standard defined by the PCI Security Council.”

Two Ends of the Spectrum

The PCI Security Council set an ambitious and worthy goal, “To enhance payment account data security by driving education and awareness of the PCI Security Standards.” Data breaches are not acceptable for customers doing business on the Internet.

Many people I’ve interviewed believe there will be a “shakeout” among payment application providers (i.e. shopping cart providers) because some of them cannot meet or prove that their systems are secure.

 Bob Russo

Bob Russo

PCI Security Standards Council general manager Bob Russo told me, “We don’t expect them [merchants] to be security experts. We do, however, expect them to at least know that they have some responsibility for protecting this data.” He went on to say that if merchants just ask providers if they are PCI compliant, “that’s generally enough.”

But it really isn’t enough. A merchant can easily overpay for security services and scans because they’re acting out of fear. A merchant who doesn’t fully understand the issue of PCI compliance is vulnerable to the profiteers that Wilson mentioned.

A merchant is vulnerable, unless the Council does something to stop that profiteering from happening in the first place.

Kevin Patrick Allen

Bio   •   RSS Feed


email-news-env

Sign up for our email newsletter

Comments ( 2 )

  1. Jagath Narayan December 12, 2009 Reply

    If the merchant is using a hosted shopping cart like Miva, then doesn’t the PCI compliance responsibility lie on the host or the shopping cart company? I understand that the merchant needs to do it if he is running his own servers.

  2. Kevin Patrick Allen December 15, 2009 Reply

    Responsibility for PCI compliance ultimately falls back on the merchant. You can check to see if your hosted cart is PA-DSS compliant by [viewing this PDF list on Visa’s site.](http://usa.visa.com/download/merchants/validated_payment_applications.pdf)

    The list of PA-DSS compliant _licensed_ carts (versus hosted carts) is on the PCI Security Council’s site. These licensed carts are included in the [list of "Validated Payment Applications."](https://www.pcisecuritystandards.org/security_standards/vpa/)