October 30th, 2009 by Jamie Estep
Making sense of the PCI mess
Filed in: Merchant Accounts | 2 comments
The merchant account industry is in turmoil right now relating to the PCI-DSS fees that just about everyone is currently experiencing. I would like to make an analysis of why we are all seeing these fees and how this whole situation came about.
Just to dispel any hopes that these might be going away soon, they’re not. If anything, PCI is going to get much stricter, as congress has openly stated that PCI-DSS is not nearly enough.
How did we get to this point?
The entire PCI-DSS concept materialized about 5 years ago when Visa created PCI and MasterCard created a program called SDP. By creating a security framework based on history, logic, and anticipated weaknesses, these programs were designed to be a model for safely storing and transmitting credit card data. Eventually the issuers joined together and created the PCI security council, which was supposed to be an envelope organization in charge of PCI standards. The idea was that it would be far easier for merchants to handle a single version of PCI, rather than Visa, MasterCard, Amex and Discover separately having their own standards. Over time, PCI-DSS gained an adoption time-line, and became much more organized. PCI covers general operating principals, but is primarily geared to network and data security, as the internet and broadband access have created unseen opportunity for thieves to remotely steal large amounts of credit card and sensitive data.
In the beginning, PCI-DSS was rightfully pushed to large merchants (level 1, and 2) because the affect from a Level 1 data breach could be massive, and the processing and storage methods and procedures that these large companies have are often vast. Becoming PCI compliant for large companies is no easy task even if their systems are already secure beyond PCI standards.
Once level 1 and 2 merchants were compliant, or in the process of becoming compliant, PCI focused on the smaller level 3 and 4 merchants. Level 3 and 4 merchants are generally much smaller and simpler organizations than level 1 and 2 merchants, but there’s millions of them, which has created an entirely different and no less challenging task of compliance, which leads us to where we are now…
Where are we now?
We are now at the point where processors (We’ll get to why it’s the processors…) are forcing their level 4 merchants to become compliant. Since only a small handful of the millions of level 4 merchants were compliant before 2008, it’s an enormous task to get them compliant. There’s so many level 4 merchants in the US that most processors outsourced compliance to a 3rd party such as SecurityMetrics. Most merchants who were not PCI compliant were charged a PCI setup fee (Monthly, Quarterly, or Yearly), and most will be further charged if they do not become compliant. Just about every processor’s PCI fees and methods are different, but just about every processor now has them.
At this point merchants of any size and type must get PCI compliant of face fines and or potential closure.
What PCI has never been.
There’s a huge misconception that PCI provides security, but this is not the case.
PCI has never been a seal of security. It does not provide security. It is not the ends-all solution to becoming secure and most would agree that it isn’t near enough.
It is a standard, a framework, covering the minimum steps to be somewhat secure. If at any time all of the requirements of PCI are not met, a business is not compliant and is not secure. You cannot get compliant and then not worry about security until you fill out the PCI questionnaire next year. Security can only be achieved if you are always secure. And security usually requires work well beyond what is covered in PCI.
Where things went awry…
There are 2 factors that I contribute to the mess that everyone is seeing right now.
First off, MasterCard broke away from PCI and made some of their own, and more strict, policies. MasterCard requires all merchants to get security scans even if they don’t process over the internet or an IP connection. Unfortunately, the lack of ambiguity in this policy creates a lot more work for small merchants who don’t process over the internet. Logically this makes no sense, and I believe is a truly terrible policy by MasterCard’s administration. Even so, I don’t see them reversing their position, ever…
Secondly, processors were made accountable for breaches and for compliance of level 4 merchants. This is extremely irresponsible because processors do not have the means of providing these services, and the issuers are making the majority of the money from merchants’ credit card processing. By dumping this on processors, one can only expect them to charge for the huge amount of time that is required to get this task done. About a million PCI scanning companies popped up in the past 2 years because there’s just so much scanning that needs to be done.
Why PCI (Not security!) is a joke!
I had a business owner explain to me how easy it was to get PCI compliant.. All he needed to do was check YES in all the boxes.
When I explained to another business owner a few weeks ago that even if they get PCI compliant, PCI does not provide any protection from fines or other fees if they do suffer a breach, he just laughed.
And that’s the way that most people view it, a joke. PCI is a facade to placate consumers and the government (Who’s not buying it) into thinking that issuers are actually trying to do something for data security. In reality, if that was the case PCI would provide some damn protection to those who take the steps to get secure and go through the hassle of becoming compliant, and it would be significantly more strict. PCI doesn’t go far enough to properly secure data, so instead of helping anyone, another multi-billion dollar industry was created (The PCI Scanning Folks) on the backs of businesses and it isn’t actually doing any good.
I fear that until there’s some benefit from becoming compliant, and until issuers stop creating ridiculous standards like forcing merchants to get a security scan when they don’t store or process cards over the internet, PCI wont be taken seriously. And truly, what is the deal with all the scanning?
Some more good PCI related resources:
Thoughts and Notes from PCI DSS Hearing in US House of Representatives
PCI DSS checklist: Mistakes and problem areas to avoid
PGP Archive for PCI-DSS
Thanks for this post. As a credit card user and as someone who is aware to the happenings in the backstage of credit card processing, I think the PCI is much needed. I can not imagine e-commerce getting anywhere without the minimum standardization the PCI imposes on all players. The Unbearable Lightness of fraudulent activities over the internet would eventually chase shoppers away. As you do, I too think merchant should refer to PCI compliance as a conceptual framework and do whatever they can to tighten security, protecting their shoppers.
Dan Pirogovsky
Co founder and SVP BD
http://www.creditcardprocessing-r-us.com/
Very informative post. before reading this post i didn’t know anything about pci. But i understand the importance of pci.
Thanks a lot.