GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

No train, no gain


Industry Update

Heartland clamps down on breach

Heartland's call to action

Money launderers game for online merchants

Friendly fraud raises fears

2009 Calendar of events


Strong LINC in the payments chain

One council, one voice

Selling Prepaid

It's a wide, wide world of prepaid

Prepaid in brief

The prepaid landscape for 2009

Lessons learned from European prepaid

The benefits of tax refunds on plastic


Make security a small-merchant priority

Scott Henry

Revisit that elevator speech

Biff Matthews
CardWare International

The long fingers of PCI

Ross Federgreen and Rick Allen


Street SmartsSM:
Remain in service? Be of service

Jason Felts
Advanced Merchant Services Inc.

Stand by your plan

Jeff Fortney
Clearent LLC

Helping merchants help themselves

Christian Murray
Global eTelecom Inc.

Collecting opportunities

Curt Hensley
CSH Consulting

Totally tailored presentations

Daniel Wadleigh
Marketing Consultant

Get the FUD out of PCI

Tim Cranny
Panoptic Security Inc.

Company Profile

ProPay Inc.

ACH Payment Solutions

New Products

When taking debit becomes a snap

Snap-on Mobile Payment Device
Company: Motorola Inc.

A mobile printer for the payments jungle

EM 220
Company: Zebra Technologies Corp.


Ditch the dark side



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

February 09, 2009  •  Issue 09:02:01

previous next

Get the FUD out of PCI

By Tim Cranny

Merchants are being unnecessarily frightened by vendors trying to lock in the idea that the Payment Card Industry (PCI) Data Security Standard (DSS) is always horribly complicated, and the only way to tackle it is to buy expensive hardware, software or services.

And misrepresentations involving PCI compliance are not just affecting merchants: They hurt ISOs, merchant level salespeople (MLSs), acquirers and others in the payments industry as well.

Too many ISOs and acquirers are taken in by talk of unavoidable complications and costs and are reacting in counterproductive ways. Some are ignoring PCI, hoping it will go away. Some are going to the other extreme: hitting their merchants with aggressive and tone-deaf requirements to the point at which some merchants are threatening to move to other acquirers or service providers.

Match method to merchant

It is true that for many merchants - particularly larger merchants - PCI is complicated. However, this need not be the case for everyone else, especially for small merchants. ISOs and MLSs can and should offer these merchants relatively simple, painless and inexpensive routes to compliance.

This article provides simple steps that can significantly lighten the burden and expense of PCI compliance. It also offers tips on how to tell when a vendor is making life more complicated than it really needs to be by spreading fear, uncertainty and doubt (FUD).

The right perspective will help ISOs and MLSs steer the proper middle course, giving each merchant the right level of service, laying out the right set of compliance and validation obligations, and, most importantly, ensuring cardholder information is protected against identity theft.

This means a one-size-fits-all strategy for dealing with merchants in a portfolio is never going to work. Some merchants are designated high-risk because of the number of transactions they handle or because they store cardholder data or are accessible over the Internet. PCI imposes a higher validation burden on these types of merchants.

It is likely such merchants need, and might even appreciate, a broad range of services. However, most merchants live in a simpler world. Imposing the same broad range of services and costs on them is hard to justify.

Doing so might help vendors and simplify the decision-making process, but it also burdens merchants with unnecessary services and gives them the impression that PCI is an expensive, complicated process that is divorced from reality.

ISOs should therefore look for a solution package that recognizes, and gracefully handles, the diversity of merchant environments. For example, only merchants who use an Internet-accessible payment application need network scans, and only they should have to pay for them.

ISOs also need to help merchants adjust operations to deal with PCI in the smartest way possible - not by running headfirst into challenges and then hopefully overcoming them, but by avoiding them altogether.

This is almost always the most secure and cost-effective way to deal with security issues; it also causes the least disruption to business. I am not talking about trying to "trick" PCI by avoiding assessments but rather passing assessments with flying colors by avoiding exposure to risks in the first place.

Ease the compliance burden

Here are ways for merchants to make PCI compliance and validation a simpler, less expensive process. Not all are relevant to every merchant, but it's a checklist that all merchants should consider:

Many merchants already have the suggested practices in place and live in a world in which PCI compliance can be relatively simple and painless. It's critical that ISOs avoid clumsy moves that punish these merchants with unnecessary cost and confusion just because other merchants need additional expensive services.

ISOs who strike the right balance, giving "simple" merchants streamlined, low-cost solutions while offering "complicated" merchants a broad suite of affordable services, will have safer, more satisfied merchants.

So remember, every time a PCI vendor tries to use FUD to make life unnecessarily complicated and expensive for your merchants, use the points provided herein to dispel the nonsense.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. ( He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at or 801-599 3454.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Board Studios