GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Agents of change


Industry Update

Private label, public dilemma

Fed insures open loop cards

Reading Black Friday tea leaves

PCI help on the way

Boost online loyalty with new tales


From restaurants to revenue streams

The archetype in the mirror

The archetype in the mirror

The archetype in the mirror

The archetype in the mirror

The spend of Holidays past


Consumers' new mantra: Shop smart

Patti Murphy
The Takoma Group

Embracing PA DSS compliance

Dave Faoro

Gear up now for PCI PED compliance

Biff Matthews
CardWare International

The case for collecting fees

Ken Musante
Humboldt Merchant Services

The case for collecting fees

Ken Musante
Humboldt Merchant Services


Street SmartsSM:
E-commerce essentials

Jason Felts
Advanced Merchant Services

Shifting focus for 2009

Christian Murray
Global eTelecom Inc.

Recruiting top college grads

Curt Hensley
CSH Consulting

A little analysis, significant rewards

Jeff Fortney
Clearent LLC

Looking beyond PCI

Tim Cranny
Panoptic Security Inc.

Preparing risk departments for the holidays

Deana Sellens
Take Charge Business Consulting LLC

10 ways to prevent credit card loss

Gino Kauzlarich

Company Profile

On-line Strategies Inc.

New Products

Lift that tradeshow burden

Jelco Inc.

POS in a box

HP rp3000 POS bundle
Hewlett-Packard Co. LP


Ditch the holiday roller coaster





Resource Guide


A Bigger Thing

The Green Sheet Online Edition

December 08, 2008  •  Issue 08:12:01

previous next

Looking beyond PCI

By Tim Cranny

Payment Card Industry (PCI) Data Security Standard (DSS) is the single biggest information security concern facing most ISOs, their acquirers and merchants, but it is short-sighted to think it is the only issue.

Many ISOs and other organizations are taking a simplistic approach to security and compliance. In the process they are setting themselves up for unnecessary cost and effort, while at the same time missing the chance to make some real improvements to their world. Fortunately, the right approach can avoid these problems and help ISOs and merchants be safer and more compliant, all while helping ISOs' bottom lines.

Elephant in the room

The first question ISOs and merchants ask is, Can I avoid this entire issue and not be at risk? This is a perfectly reasonable question, given that these security and documentation requirements seem like such a distraction from normal business, but the answer for ISOs and merchants is no.

We are currently seeing a rash of hardware vendors and service providers telling merchants, Yes, use our product, and you can avoid PCI issues. But most of these people are, to put it delicately, twisting reality until it surrenders.

All merchants who ever accept, transmit, or process cardholders' primary account numbers during a transaction must comply with the PCI DSS. Far too many of these dubious vendors are using dizzying amounts of spin in their marketing literature. But most are careful enough to quietly water down their claims with "weasel" words like "avoid or minimize PCI problems" somewhere in their fine print.

These vendors are doing their customers and partners a disservice, potentially leaving them exposed to the danger of security and compliance failures.

No quick fix

Usually the next question is, If I can't avoid it, what product or service can I get that solves it all for me? The short answer is - there isn't one. Far too many vendors are claiming they are the silver bullet, but the closer you look at their claims, the more they evaporate.

The longer, better answer is that this isn't really the right question. A better question might be, Is PCI the only thing I need to worry about? The answer here, again, is no - for most merchants and all ISOs.

When considering compliance requirements such as the Gramm-Leach-Bliley Act, the Fair and Accurate Credit Transactions Act, and other state-level legal requirements, you should think of PCI as the leader of the pack, not as an isolated issue. And it is clear to most industry experts that compliance requirements are only going to grow in coming years for a range of political and economic reasons.

But compliance isn't even the real story. The most important thing for merchants and ISOs to remember is that the dangers are real; hackers and thieves are out there trying to steal data and commit fraud; those who don't protect themselves by taking the right precautions will be hacked sooner or later.

Treat the disease

PCI problems are symptoms of a deeper concern. Those who concentrate too narrowly on PCI will find themselves back at square one when it's time to worry about the next compliance requirement or problem - and the next attack.

By dealing directly with the underlying concerns, merchants and ISOs can deal with security and compliance once and for all, at lower cost and with less effort. This is why the question, What solution solves PCI? puts the cart before the horse.

What proper security program should ISOs suggest to their portfolio merchants? The following four pieces of advice are deliberately not created in reaction to PCI. The good news is that following these steps also addresses PCI compliance.

It's not surprising that treating the disease decreases the symptoms. ISOs who give this advice to their merchants are helping them to solve PCI and a whole range of other security matters all in one go:

  1. Recognize that the security threats and compliance issues are real, and they need to be actively addressed. Doing nothing will be more expensive than doing the right thing; the merchant could be attacked or hit with noncompliance penalties and expenses. In either situation, the ISO is put at legal and financial risk.

  2. Avoid specific problems, where possible, rather than solve them. By far the best and cheapest way to handle a security issue is to avoid it altogether. If merchants don't store sensitive cardholder data on their computers, literally dozens of security issues simply disappear, and dozens of complicated, expensive and time-consuming solutions simply lose all relevance.

    In the case of PCI, following this one step dramatically simplifies the merchants PCI burden. And by dramatically, we're not talking about a 10 percent reduction in pain; it's more like 50 percent to 90 percent.

  3. Follow the known path. A lot of advice handed out to people urges them to be different, to avoid the standard solutions, but in the world of security and compliance that's almost always the wrong advice. A good piece of general security advice, directly relevant to PCI, is to follow the tested path.

    If your merchants need POS devices, urge them to choose ones that are known to be compliant with the Payment Application DSS, rather than non-standard solutions.

    If one of your merchants needs a network vulnerability scan for PCI, simply point them to an approved scanning vendor via a partnership you have in place or by directing them to the formal list on the PCI Security Standards Council's Web site at

    The same argument applies to formal PCI audits and choosing a formally certified qualified security assessor.

  4. Recognize and embrace breadth. As we've already said, security and compliance are broad issues and need a broad range of responses. There is no one, magical solution or strategy that will make it all go away, so ISOs need to be able to provide - either directly or through partnership - an equally broad range of solutions and strategies.

    Unfortunately, almost all vendors try to narrow your world down, to make you focus on them, so it pays to carefully look for vendors and partners who explicitly aim at providing the full range of services needed. No one can cover the whole range themselves, so an ISO's best bet is to find a partner willing to act as a portal - a one stop shop for an entire ecosystem of other security and compliance vendors.

Be the tortoise

Merchants and ISOs have a choice: Deal with security and compliance issues with a short-term "what is the minimum I can get away with today?" approach or take a step back and do it once, properly. Following the latter path doesn't mean spending more; it just means spending smarter.

It leads to better security, better and cheaper compliance, and creates the right framework to guide ISOs in their partnership decisions and strategies. It also creates what every organization in the payment processing industry is aiming for: an environment where consumers use payment cards without fear or inhibitions.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. ( He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at or 801-599 3454.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios