Practical Ecommerce

PCI Council Exec on Criticisms of Security Standards

The major credit card brands of Visa, MasterCard, American Express and Discover have adopted standards to protect consumers’ credit card data. The standards are self-regulation — not government law — by those companies, which have also created an organization to administer it all. That organization is PCI Security Standards Council.

The PCI standards require all businesses — online or not — that accept those credit cards to become compliant. But compliance is complicated, confusing and, oftentimes, expensive. A merchant’s failure to achieve compliance can result in fines from the credit card brands and can otherwise expose a merchant to large legal liability.

Critics of the PCI standards say that the brands themselves should protect the security of the cards, and not the merchants. Critics say an entire industry of PCI-related vendors — with conflicting advice and motives — now profits from merchants.

But the major brands nonetheless required compliance by merchants as of July 1, 2010 — more than a year ago. That date has been met with both fear and apathy. There’s fear from merchants who are not compliant, and apathy from many shopping cart providers who have ignored their role in obtaining application and payment related compliance. Of the roughly 600 shopping carts, fewer than 75 or so appear on the lists of approved providers. (The list of approved licensed shopping carts is maintained by the Security Council; the list of approved hosted carts is maintained in a PDF document by Visa.)

But the PCI Security Council itself remains eager to assist merchants and their vendors understand the standards, and their respective roles in them. Bob Russo is the general manager of the Council. He spoke with us recently on the status of the standards, the critics’ view of them, and the mission of his organization.

Practical eCommerce: What is the status of the PCI Security Standards?

Bob Russo

Bob Russo

Bob Russo: “Awareness and adoption seem to be growing very rapidly, because the risk is really increasing on the part of smaller merchants. They need to build some of this stuff into their business plans and in order to be successful, and I think they realize that they have got to do that.”

PEC: Credit card security is huge, but there are so many vested interests in this field that it’s very hard to get an objective view. It’s a hard thing to cut through and report facts. What are your thoughts on that?

Russo: “Vendors are always going to try and steer you towards whatever it is that they’re selling. So, you really need to do your due diligence. That’s why the Council is here, so you’ve got an independent resource to look at all of the issues, and at many of the applications that these guys are trying to sell, to provide non-biased guidance. We provide a listing of these applications that meet minimum security requirements and security best practices on our PA-DSS listing.”

PEC: There are somewhere around 600 shopping carts. Every ecommerce merchant deals with one. There are licensed carts and hosted carts. How many of those are compliant now?

Russo: “I’d have to take a look, but I think our site’s got somewhere in the vicinity of about 30 carts listed under ‘shopping carts’ as PA-DSS-approved, but that is only one category. There are a number of categories. So carts may be listed under an additional category like ‘card not present’ or ‘payment gateway’ or ‘payment middleware.’ But in total we’ve got over a thousand applications that are currently listed on the PA-DSS-approved site.

“The easiest thing for merchants is to ask the vendors, ‘Are you guys PCI-compliant?’ Then have them indicate whether or not they are, and if they say they are and you can’t find them, ask them why they’re not listed on our site. You’re becoming conspicuous by your absence if you’re not on this list, especially since most vendors now are more aware of PCI. Many of them will say, ‘Oh, we’re on the road to becoming PCI-compliant. We’ve submitted our application,’ or something like that, but at least give them notice that you’re PCI aware, and engage your buying pattern based on what their answer is.”

PEC: Magento is among the largest shopping carts in terms of users. Magento does not appear on an approved PCI list. What do you say to the smaller cart companies that have spent the money to become compliant, when some of the biggest providers aren’t?

Russo: “I think ultimately the merchants and the processors are going to pressure these folks into becoming compliant and making sure that all of their products meet the PCI requirement. I know for sure that eBay (which owns Magento) is concerned about security; they’re part of the Council. I would encourage your readers again to ask the question of Magento and see what they say in answer. eBay is very, very security conscious. So I think it’s just a matter of time before you see them on the PA-DSS list.”

PEC: Assume I’m a merchant and I ask that question to any provider, not just Magento, and the provider says ‘we can’t afford it’ or ‘we’re working on it’ or ‘we’re getting there’ or ‘we meet all the requirements, but we just haven’t submitted the application.’ What would you do as a merchant?

Russo: “You really need to bake security into whatever you do. If you don’t plan for security, you’re planning to fail at some point, especially in today’s environment. So, I would weigh very, very carefully what they tell you. As a merchant, you know that if you go to somebody PCI-compliant, you’re at least starting on a solid foundation, whereas some of these other guys have been trying to just give you a story that they are becoming PCI-compliant or ‘we’re already doing everything that they’re saying we should do, so we don’t need to be PCI-compliant.’ Think of it in your everyday life. Regardless of what you’re buying, would you buy something from someone who told you that?”

PEC: Opponents of PCI say the credit card brands, processors, and merchant account providers are all highly profitable and they all depend on merchants, yet those organizations cannot protect the integrity of their own credit card numbers and they’re relying on merchants to do it for them. Opponents say that is fundamentally unfair. Thoughts on that?

Russo: “First of all, I disagree with the notion that they’re not doing everything in their power. As you know, they were part of forming the Council. They’ve all adopted the PCI standards as the foundation for their compliance program. So, just like you lock your business up at night to prevent burglars from coming in, you need to lock up your organization to prevent somebody from coming in and stealing whatever it is that you’re selling, but in this case also stealing any kind of data that you’ve got there.

“Security needs to be baked into any business plan that you come up with, and it doesn’t have to be hugely expensive. Many of the elements have been commoditized, and we’ve tried to set appropriate levels of expectations according to your business size; so to validate your security is much easier for a smaller business than it is for a larger one these days. It’s very commonsense kinds of things that we’re asking people to do, most small businesses are already doing a lot of these things because it’s just good business practice to do these things.

“We’re not asking for somebody to go out and do something draconian. We’re asking you to do commonsense things to protect your business. I would encourage your readers to go to our website and look at some of the guidance documents that are available for smaller merchants. Lots of helpful information there and documents there.”

PEC: You’ve always been very forthcoming with us, fielding criticism-type questions that we’ve asked. Your organization is now inviting ideas for the formation of new special interest groups to help with areas that need clarification. Could you talk bout this initiative from the Security Council?

Russo: “Special interest groups are not new to the Council; we’ve had them for quite some time. We’re basically just reorganizing the way we look at these special interest groups. It’s very important to remember that our participating organizations really bring valuable market perspective not only to the Council, but to their peers, and they do that through these special interest groups.

“What we’re doing now is accepting recommendations for new special interest groups from all of the constituents. There are almost 700 companies that are part of the Council, from the biggest banks all the way down to associations that probably represent many of your readers. If you’re a participating organization, you can fill out one of these forms to propose a special interest group. We’re collecting these forms from now through the end of August.

“Once we get all of these forms, our technical working groups will sift through them looking for the most well defined. We’ll create a shortlist of 7 to 10 of these ideas. Then we’ll go back to the people who proposed them and let them know that their ideas have been accepted. If there are additional questions that we have, we’ll get them answered, then each one of the people who have addressed one of these things will have the opportunity to come to our community meetings in September and October, both here in North America and over in Europe, to present their idea to the crowd. If you’re not able to make the community meeting, it will be recorded for you.

“After these two community meetings, our entire constituency will vote on these special interest groups and we will pick the top three, possibly four, and stand them up for a year. They’ll have a defined deliverable. So we’ll know going in exactly what the outcome of these are going to be, and then as soon as the deliverable is done, it will be published and will be out there for everyone to take advantage of.”

PEC: Anything else on your mind for our audience of ecommerce merchants?

Russo: “I’d just like to revisit what I said before, that security has to be part of everything that you do. It has got to be baked in. I know you’ve heard me say this before, but the standards being highly prescriptive and detailing exactly what you need to do to get secured is a real benefit. It’s not as if we’re saying you need to become secure, so go out there and become secure. We’re actually telling you some of the things that you need to do, some of the things that you need to create a very solid foundation for securing your business, which is one of the more important things that you have to do when you’re starting a business.”

Practical Ecommerce

Practical Ecommerce

Bio   •   RSS Feed


Sign up for our email newsletter

  1. Alex Mulin August 12, 2011 Reply

    PCI-DSS stuff seems to me a kind of another bubble.

    My reason why I think so: many talks and no real results.

    E.g. the most of online merchants do not know about PA-DSS requirements in case they take customers credit cards right on their web-sites. I haven’t heard about dozens of merchants fined due to not using a PA-DSS compatible solutions.

    Just look through forums – nobody is worried about PA-DSS deadline that passed a year ago and many still host forms to enter credit cards!

    Shopping carts do not hurry to implement PA-DSS either.

    Leaders like Magento’s Payment Bridge integrates with a few payment processors and a merchant is to pay thousands USD a year to use it.

    X-Cart’s X-Payments has been approved as PA-DSS certified in a year after they submitted application.

    PinnacleCart is PA-DSS certified, but they release new features as minor releases in order to avoid PA-DS re-certification and save costs involved in this. Why do they act so? Nobody needs PA-DSS compliance because nobody actually enforces it.

    All of that says a lot.

  2. cokekiller August 16, 2011 Reply

    This person is the top paid industry shill. He still hasn’t answered the question. Why should the merchant be forced to secure your insecure system? If your archaic unsecure payment system wasn’t so unsecure, I wouldn’t have to "bake-in" data security in my business plan. Sure. Maybe to protect my customer list and contact data. but that’s it! This is akin to asking the bank depositors to pay to secure the bank vault for the bank and then have them actively take part in manufacturing of said vault. IT IS LUDICROUS!

    What is so telling in all this (and it literally boggles my mind) is that it is cheaper for the big 4 to create these standards, create the council, pay the above shill, and enforce the standards than it is to fix their crappy payment system. By doing this, they are basically admitting to us that it is un-fixable, right?

    No one enforces it because it is not a law. It is the 4 major brands colluding to enforce "standards" down the chain. The brands enforce standards (thru threat of fines) on the merchant banks and processors who in turn require the standards of us, the merchants, in order to do business with them. It is the merchant bank who is threatened by fines, not the merchant. However, your agreement fine print may now or in the near future contain language concerning pass thru of those fines. But it is kind of BS since they shouldn’t have agreed to do business with you if you weren’t PCI compliant in the first place. So u could probably fight that to a point.

    Anyway. As a small merchant. You are right. Who cares. Just like a mafia protection scheme, pay up or feel the pain. But we know that’s not how those schemes work. It is not about pain. It only works by using fear. So they will pick and choose big and mid tier businesses to selectively enforce and fine in order to scare the rest of the rabble into line.

    It’s the same old story. When you have a monopoly you can do whatever you want. I for one can’t wait for the day when the Netflix of the payment industry is created and these companies who do not add one iota of economic value to our society (payment/transfer of electronic funds is a utility function) and simply exist to skim off the top of every commerce transaction in existence. I will be dancing in their ashes.

    One can dream right ;-)

  3. khnum48 July 30, 2012 Reply

    Just recently 47 organizations were breached and these organizations were PCI compliant. The real question is will any of them be fined by the PCI Council? I’m guessing none because if they decide to fight the fines and can demostrate that they followed PCI guidelines to the letter ( remember they were rated as PCI compliant), the guidelines created by the council will be proven to be worthless – why would company’s like Magneto pay to becomme complaint with a useless security standard.