GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

A political action plan for ISOs

News

Industry Update

New best practices for data storage

Financial reform bill passes. What now?

Cash-only holiday to protest Durbin Amendment

ETA/Strawhecker report: Reason for optimism

Features

Research Rundown

ISOMetrics:
Top 25 privately held industries for the last 10 years

Selling Prepaid

Prepaid in brief

Evolution Benefits ties prepaid to philanthropy

What's next in gifting technology

Walter Paulsen
Giiv Inc.

Views

Three kinds of consolidation to watch

Brandes Elitch
CrossCheck Inc.

Education

Street SmartsSM:
Is dial dead?

Ken Musante
Eureka Payments LLC

Agent or employee: Which are you?

Adam Atlas
Attorney at Law

Budgeting: A crucial management skill

Vicki M. Daughdrill
Small Business Resources LLC

Best practices for crisis communications

Peggy Bekavac Olson
Strategic Marketing

Putting the cold call in its proper place

Jeffrey Shavitz
Charge Card Systems Inc.

More than PCI

Tim Cranny
Panoptic Security Inc.

Avoid 'always be closing' and other old traps

Jeff Fortney
Clearent LLC

Company Profile

Voltage Security Inc.

New Products

Determine the best interchange for each transaction

BINSmart
Merchant Warehouse

Layered protection for ACH

ProtectPay ACH
ProPay Inc.

Inspiration

Focus on success with self-help CDs

Departments

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

August 09, 2010  •  Issue 10:08:01

previous next

More than PCI

By Tim Cranny

ISOs, acquirers, processors and merchants are right to focus on the Payment Card Industry (PCI) Data Security Standard (DSS) as their most critical compliance issue in regard to information security. But those who plan on doing long-term business should also be aware of other issues and changes on the horizon (or even closer).

Too many organizations are short term or simplistic in their approach to security and compliance, and in the long term they are setting themselves up for unnecessary risk, cost and effort.

The correct approach, along with the appropriate insight into what is happening, will help ISOs and merchant level salespeople make the right moves at the right time and help keep their merchants safe and loyal.

Focusing on risk management

Risk management isn't just a security standard; it's the issue all the various standards are trying to address and measure. One of the main dangers with PCI is that people get too focused on the standards themselves, while forgetting their purpose is risk management.

Thinking only in terms of passing PCI is responding to a serious fever by saying a particular thermometer has failed the "thermometer test" and trying other thermometers until one indicates a "better temperature."

The only logical approach is to pursue PCI compliance with strong risk management in mind, confident in the knowledge that focusing on the underlying goal will also mean your business will ultimately meet PCI standards.

Don't become fixated on the fine points of the PCI DSS. If you do the right thing by taking measures to assure your system's security, PCI compliance should follow almost automatically.

It's almost always possible to cheat or short-change formal measuring and reporting systems like the PCI DSS, but a short-term tactic usually leads to long-term problems.

As a side note, remember that merchants found to be noncompliant in the inevitable after-breach audit are guaranteed to miss out on any possible safe-harbor provisions available to those who are actually affirmed to have been PCI compliant at the time of a breach.

Breach notification laws

A majority of states have introduced legislation requiring merchants to formally notify customers if their personal information is stolen from a merchant.

These are laws, not just industry standards, so they carry extra weight. Merchants (and their partners) need to remember that they must conform to the laws of each state in which they do business.

In addition to the embarrassment and damage these breach notifications can cause a company's brand, the laws impose expensive, effort-intensive processes on breached companies, and these often prove far more expensive than the explicit fines or penalties.

Federal and state regulation of the financial sector

As part of, and in response to, the recent financial crisis, it is inevitable that a range of further regulations and compliance regimes will be imposed on the financial sector in the near future. It is likely that some of those will directly affect the payments industry.

Federal and state cyber-security laws are only now being thought up or drafted for a range of political, social and technical reasons; it seems inevitable that they are coming.

Compliance laws throughout the supply chain

In addition, health industry laws (such as the Health Insurance Portability and Accountability Act of 1996) impose a range of security requirements not just on companies that work directly in the health industry, but also on companies that provide services to such companies - effectively making these compliance problems more than a little "contagious."

The phenomenon of compliance issues spreading throughout the supply chain is an increasing trend (for good reason, since companies and their data are becoming increasingly mingled and interdependent) and makes it increasingly likely that companies will get hit with compliance and reporting issues they weren't anticipating.

Putting together a long-term program

Payment professionals need to realize the world will get more complicated and that the compliance burden on them and their merchants will increase.

PCI is the right place to focus today, but the issues I've just mentioned should influence their decisions in important ways. For example, these issues mean that a short-term, quick-and-dirty approach to PCI compliance will fail sooner and harder than expected. Putting together a low-effort, "just-say-you-passed" approach is a bad idea for a number of legal and financial reasons even today, but it guarantees even more problems and inefficiencies in the near future. Instead, it makes sense to put together a program that can grow as the compliance burden grows.

ISOs and the merchants they serve have a choice: deal with security and compliance issues in a short-term "do the minimum I can get away with" way, or they can step back and take a "do it once, do it properly" approach that will protect them from both attacks and compliance surprises in the future.

Following the do-it-right path doesn't mean spending more money; it just means spending money in smarter ways. It leads to better security, better and cheaper compliance, and helps the ISO build a foundation for a healthy, long-term relationship with the merchant.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at tim.cranny@panopticsecurity.com or 801-599 3454.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Super G Capital LLC | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems