GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

New moves for more mojo in '09


Industry Update

Online shoppers stay the course

Morgan Stanley sues Discover

TARP eases AmEx woes

Is TALF on target?

RBS staves off hackers

Shift4 podcast available


Mt. Snow clear for summit

Getting smart about contactless

Industry Leader

Paul Martaus –
The go-to guy

Selling Prepaid

SellingPrepaid now in print

Prepaid in brief

Going boldly into m-commerce

Achieve wellness with rewards

A new outlook for the unbanked


How to preserve self-regulation

Biff Matthews
CardWare International

A countertop tonic for recession blues

Bulent Ozayaz

Changes afoot, challenges ahead

George Sarantopoulos
The Access One Group


Street SmartsSM:
Become an enterprising networker

Jason Felts
Advanced Merchant Services Inc.

The new age in customer retention

Christian Murray
Global eTelecom Inc.

Rising above recession: 10 tips

Curt Hensley
CSH Consulting

PCI, an aspect of PII

Ross Federgreen, Ken Musante and Theodore Svoronos

PCI: What to hope for in 2009

Tim Cranny
Panoptic Security Inc.

Weathering the coming payment storms

Jeff Fortney
Clearent LLC

Company Profile

Charge Card Systems LLC

New Products

Seek profitable harbor with POS

Harbortouch POS Systems
Company: United Bank Card Inc.

Securing data on the edge

Cipher Security Module
Company: Semtek Corp.


Beyond resolutions

Beyond resolutions



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

January 12, 2009  •  Issue 09:01:01

previous next

PCI: What to hope for in 2009

By Tim Cranny

The end of the old year and the start of the new is a good time to step back and review where the Payment Card Industry (PCI) Data Security Standard (DSS) compliance program has taken us - to look at what has gone right, what has gone wrong, and what ISOs, merchants, and the rest of the payment card industry can hope for in 2009.

The PCI DSS was expanded and refined in 2008, and this was generally done in a careful, effective way. The year saw a modest revision of the standard, as well as escalating compliance demands on payment applications. And it was the start of the long, demanding process of bringing smaller merchants into compliance.

It also saw steady, although not spectacular, improvement in the compliance and validation success rates for merchants across the board. All of this is real progress and directly serves the ultimate goal of PCI: to protect cardholders, their privacy and their transactions.

However, not everything is ideal with PCI, and it's far from guaranteed that the problems that do exist are just the growing pains of a still-young standard. The more pessimistic analysis, and probably the more realistic, is that the active involvement of the PCI Security Standards Council (SSC) and payment brands will be necessary to make sure the PCI achieves its longterm goals.

PCI compliance will be a big issue for ISOs in 2009. Understanding problems associated with compliance and knowing what to worry about (and what not to worry about) will make the year ahead safer, simpler and more rewarding.

PCI issues can be divided into two basic categories: real challenges and artificial challenges. As we'll see, too many ISOs are being distracted by artificial challenges, most of which are really little more than counter-productive vendor fights.

Real challenges

These are the almost-silent problems faced by individual merchants trying to grapple with PCI. For larger (level 1) merchants, compliance is just a chore: The company is large enough and sophisticated enough to meet the challenge with either in-house expertise or consultants.

But for smaller merchants the administrative, technical and security demands of PCI compliance are always going to be daunting.

After assisting thousands of merchants with their PCI validation and compliance efforts, it is clear to Panoptic Security that many smaller merchants are having several different types of problems with PCI.

Remember that PCI has two types of demands:

It has been obvious for a long time that compliance places a heavy burden on merchants: The standard is both broad and deep, and many merchants are going to find it a drawn-out, difficult process to make the required hardware, software and procedural changes needed to get into compliance. But above and beyond that, all too many merchants are struggling even with the simpler mechanics of validation.

For example, at Panoptic Security, we were surprised how much attention was needed to walk merchants through the process of identifying which Self-Assessment Questionnaire (SAQ) was applicable.

Our statistics show that when exposed to the standard raw wording of the SAQ, many merchants (one in eight) will incorrectly self-identify as a service provider, dropping them into the longest, most complicated SAQ (version D).

When we followed up with such merchants, many of them said that since they did, in fact, provide services to their customers, they had answered the question that way without seeking further clarification.

It is clear that many of these merchants were incorrectly classifying themselves, because with comprehensive real-time assistance, the number of merchants identified as service providers dropped significantly.

This example emphasizes an ongoing challenge of PCI compliance. Simplification is needed, but simplifying the process by adding clarifications, alternatives, and flexibility can actually make things more complicated and time-intensive. In the latest version of the SAQs released in late 2008, the expanded handling of "not applicable" options has almost doubled the page count of SAQ A - from eight to 15 pages.

Artificial challenges

Real issues relate to how merchants assess and improve their security to better protect cardholders. Unfortunately, a lot of confusion and wasted effort is coming from vendors trying to influence industry trends in their favor. A critical factor in the PCI's long-term health will be its willingness to limit the extent of this spin. This will help merchants, ISOs and acquirers focus on the real goal of protecting cardholder data.

One example of this spin relates to the first generation of security vendors for PCI, the Qualified Security Assessors (QSAs), who are essentially consultants servicing the large merchants first targeted by PCI.

The QSA business model is fundamentally inappropriate for dealing with the millions of smaller merchants now being targeted for PCI validation and compliance.

But some members of the QSA community are pushing their services with the line "only a QSA can help small merchants with their Self-Assessment Questionnaire." That is obviously incorrect, given the meaning of the word self-assessment, but ISOs must cut through the hype to see what solutions and strategies are best for them and their merchants.

A more dangerous distortion that has been around for a while comes from a few payment application vendors promising that they make PCI "go away" with the purchase of their solution. It's true that the right payment application (properly installed and maintained) can greatly simplify a merchant's PCI burden, but that's a very different thing from avoiding PCI altogether.

Again, ISOs who uncritically accept these types of statements may find that they've made the wrong partnership deal and may still have portfolio risks they thought had gone away.

Looking ahead

ISOs, merchants, and everyone else in the payments industry will have an easier 2009 if the PCI SSC and the payment brands:

ISOs that concentrate on the real challenges of PCI compliance and avoid wasting resources on artificial challenges can make 2009 a year in which PCI actively helps them so they can end the year with safer merchants and stronger businesses.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. ( He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at or 801-599-3454.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios