The major credit card brands of Visa, MasterCard, American Express and Discover have adopted standards to protect consumers’ credit card data. The standards are self-regulation — not government law — by those companies, which have also created an organization to administer it all. That organization is PCI Security Standards Council.
The PCI standards require all businesses — online or not — that accept those credit cards to become compliant. But compliance is complicated, confusing and, oftentimes, expensive. A merchant’s failure to achieve compliance can result in fines from the credit card brands and can otherwise expose a merchant to large legal liability.
Critics of the PCI standards say that the brands themselves should protect the security of the cards, and not the merchants. Critics say an entire industry of PCI-related vendors — with conflicting advice and motives — now profits from merchants.
But the major brands nonetheless required compliance by merchants as of July 1, 2010 — more than a year ago. That date has been met with both fear and apathy. There’s fear from merchants who are not compliant, and apathy from many shopping cart providers who have ignored their role in obtaining application and payment related compliance. Of the roughly 600 shopping carts, fewer than 75 or so appear on the lists of approved providers. (The list of approved licensed shopping carts is maintained by the Security Council; the list of approved hosted carts is maintained in a PDF document by Visa.)
But the PCI Security Council itself remains eager to assist merchants and their vendors understand the standards, and their respective roles in them. Bob Russo is the general manager of the Council. He spoke with us recently on the status of the standards, the critics’ view of them, and the mission of his organization.
Practical eCommerce: What is the status of the PCI Security Standards?
Bob Russo: “Awareness and adoption seem to be growing very rapidly, because the risk is really increasing on the part of smaller merchants. They need to build some of this stuff into their business plans and in order to be successful, and I think they realize that they have got to do that.”
PEC: Credit card security is huge, but there are so many vested interests in this field that it’s very hard to get an objective view. It’s a hard thing to cut through and report facts. What are your thoughts on that?
Russo: “Vendors are always going to try and steer you towards whatever it is that they’re selling. So, you really need to do your due diligence. That’s why the Council is here, so you’ve got an independent resource to look at all of the issues, and at many of the applications that these guys are trying to sell, to provide non-biased guidance. We provide a listing of these applications that meet minimum security requirements and security best practices on our PA-DSS listing.”
PEC: There are somewhere around 600 shopping carts. Every ecommerce merchant deals with one. There are licensed carts and hosted carts. How many of those are compliant now?
Russo: “I’d have to take a look, but I think our site’s got somewhere in the vicinity of about 30 carts listed under ‘shopping carts’ as PA-DSS-approved, but that is only one category. There are a number of categories. So carts may be listed under an additional category like ‘card not present’ or ‘payment gateway’ or ‘payment middleware.’ But in total we’ve got over a thousand applications that are currently listed on the PA-DSS-approved site.
“The easiest thing for merchants is to ask the vendors, ‘Are you guys PCI-compliant?’ Then have them indicate whether or not they are, and if they say they are and you can’t find them, ask them why they’re not listed on our site. You’re becoming conspicuous by your absence if you’re not on this list, especially since most vendors now are more aware of PCI. Many of them will say, ‘Oh, we’re on the road to becoming PCI-compliant. We’ve submitted our application,’ or something like that, but at least give them notice that you’re PCI aware, and engage your buying pattern based on what their answer is.”
Russo: “I think ultimately the merchants and the processors are going to pressure these folks into becoming compliant and making sure that all of their products meet the PCI requirement. I know for sure that eBay (which owns Magento) is concerned about security; they’re part of the Council. I would encourage your readers again to ask the question of Magento and see what they say in answer. eBay is very, very security conscious. So I think it’s just a matter of time before you see them on the PA-DSS list.”
PEC: Assume I’m a merchant and I ask that question to any provider, not just Magento, and the provider says ‘we can’t afford it’ or ‘we’re working on it’ or ‘we’re getting there’ or ‘we meet all the requirements, but we just haven’t submitted the application.’ What would you do as a merchant?
Russo: “You really need to bake security into whatever you do. If you don’t plan for security, you’re planning to fail at some point, especially in today’s environment. So, I would weigh very, very carefully what they tell you. As a merchant, you know that if you go to somebody PCI-compliant, you’re at least starting on a solid foundation, whereas some of these other guys have been trying to just give you a story that they are becoming PCI-compliant or ‘we’re already doing everything that they’re saying we should do, so we don’t need to be PCI-compliant.’ Think of it in your everyday life. Regardless of what you’re buying, would you buy something from someone who told you that?”
PEC: Opponents of PCI say the credit card brands, processors, and merchant account providers are all highly profitable and they all depend on merchants, yet those organizations cannot protect the integrity of their own credit card numbers and they’re relying on merchants to do it for them. Opponents say that is fundamentally unfair. Thoughts on that?
Russo: “First of all, I disagree with the notion that they’re not doing everything in their power. As you know, they were part of forming the Council. They’ve all adopted the PCI standards as the foundation for their compliance program. So, just like you lock your business up at night to prevent burglars from coming in, you need to lock up your organization to prevent somebody from coming in and stealing whatever it is that you’re selling, but in this case also stealing any kind of data that you’ve got there.
“Security needs to be baked into any business plan that you come up with, and it doesn’t have to be hugely expensive. Many of the elements have been commoditized, and we’ve tried to set appropriate levels of expectations according to your business size; so to validate your security is much easier for a smaller business than it is for a larger one these days. It’s very commonsense kinds of things that we’re asking people to do, most small businesses are already doing a lot of these things because it’s just good business practice to do these things.
“We’re not asking for somebody to go out and do something draconian. We’re asking you to do commonsense things to protect your business. I would encourage your readers to go to our website and look at some of the guidance documents that are available for smaller merchants. Lots of helpful information there and documents there.”
PEC: You’ve always been very forthcoming with us, fielding criticism-type questions that we’ve asked. Your organization is now inviting ideas for the formation of new special interest groups to help with areas that need clarification. Could you talk bout this initiative from the Security Council?
Russo: “Special interest groups are not new to the Council; we’ve had them for quite some time. We’re basically just reorganizing the way we look at these special interest groups. It’s very important to remember that our participating organizations really bring valuable market perspective not only to the Council, but to their peers, and they do that through these special interest groups.
“What we’re doing now is accepting recommendations for new special interest groups from all of the constituents. There are almost 700 companies that are part of the Council, from the biggest banks all the way down to associations that probably represent many of your readers. If you’re a participating organization, you can fill out one of these forms to propose a special interest group. We’re collecting these forms from now through the end of August.
“Once we get all of these forms, our technical working groups will sift through them looking for the most well defined. We’ll create a shortlist of 7 to 10 of these ideas. Then we’ll go back to the people who proposed them and let them know that their ideas have been accepted. If there are additional questions that we have, we’ll get them answered, then each one of the people who have addressed one of these things will have the opportunity to come to our community meetings in September and October, both here in North America and over in Europe, to present their idea to the crowd. If you’re not able to make the community meeting, it will be recorded for you.
“After these two community meetings, our entire constituency will vote on these special interest groups and we will pick the top three, possibly four, and stand them up for a year. They’ll have a defined deliverable. So we’ll know going in exactly what the outcome of these are going to be, and then as soon as the deliverable is done, it will be published and will be out there for everyone to take advantage of.”
PEC: Anything else on your mind for our audience of ecommerce merchants?
Russo: “I’d just like to revisit what I said before, that security has to be part of everything that you do. It has got to be baked in. I know you’ve heard me say this before, but the standards being highly prescriptive and detailing exactly what you need to do to get secured is a real benefit. It’s not as if we’re saying you need to become secure, so go out there and become secure. We’re actually telling you some of the things that you need to do, some of the things that you need to create a very solid foundation for securing your business, which is one of the more important things that you have to do when you’re starting a business.”