GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Making hay of new IRS reporting requirements

Adam Atlas
Attorney at Law


Industry Update

TCF Bank lawsuit challenges Durbin Amendment

Reaching out to medical marijuana dispensaries

Mercator explains growth in micropayments, virtual purchasing

New MasterCard credit card generates passwords

Trade Association News


Research Rundown

Selling Prepaid

Prepaid in brief

Open-loop prepaid part of CTA's new fare system

Prepaid's emergence in India


Challenges to Dodd-Frank, Durbin heat up

Mark Brady and Ross Federgreen
CSRSI, The Payment Advisors

It's the economy, again

Brandes Elitch
CrossCheck Inc.


Street SmartsSM:
What the feet on the street need from acquirers

Ken Musante
Eureka Payments LLC

Content marketing delivers by engaging prospects

Peggy Bekavac Olson
Strategic Marketing

Going beyond PCI

Tim Cranny
Panoptic Security Inc.

Where is our industry heading?

Jeffrey Shavitz
Charge Card Systems Inc.

Become a payment superhero

Jeff Fortney
Clearent LLC

What PCI DSS 2.0 means for financial institutions

Gary Palgon
nuBridges Inc.

Company Profile

Global Electronic Technology Inc.

New Products

Encrypting, entertaining self-service terminal

Key Innovations Ltd.


The pursuit of happiness



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

November 08, 2010  •  Issue 10:11:01

previous next

Going beyond PCI

By Tim Cranny

The Payment Card Industry (PCI) Data Security Standard (DSS) is expanding and maturing. That means ISOs, banks, merchant level salespeople and merchants must familiarize themselves with an increasing number of resources, documents, processes and procedures associated with PCI.

That's good in almost every way, but it introduces a very real danger, one that is already affecting people today: the possibility of becoming "captured" by PCI and its priorities and processes and forgetting that it is, and will always be, just a response to the underlying threats and real dangers out there.

As compliance becomes a more familiar process, organizations run the risk of forgetting about the differences between safety and risk, and getting hypnotized into thinking only in terms of PCI and its issues and formal measurements.

(This problem didn't emerge with PCI, of course; it is a common cause of failure for any long-term program with hard-to-define or shifting objectives. For example, there has been a problem for years in the U.S. education system, whereby the ultimate goals of producing educated, informed graduates is giving way to the more tangible metrics of raising exam scores and graduation rates. This is how we end up with dangerous and completely backward approaches such as "teach to the test.")

The formal PCI system does not, and cannot, track perfectly or even consistently the underlying dangers from hackers and thieves. In fact, there are strong reasons (which I'll address in a separate article) why PCI is particularly bad as a tracking mechanism.

The result is that we will see increasing numbers of cases in which people follow PCI guidelines judiciously but are still hacked or damaged.

If you're an ISO, bank, processor or merchant, do not smile when you hear the phrase, "The operation was a success, but the patient died"; you could be the patient we're talking about.

For that reason, I'm going to ignore PCI for the rest of this article and talk about the real threats and dangers you should keep in mind. This has to be a regular process, too, because these threats and dangers are changing so rapidly that the right approach today is likely going to be woefully inadequate in a year's time.

Facts about cybercrime

The recently released CA Technologies report, State of the Internet 2010, (available at or by searching online) offers an update on "what's happening out there" in the world of cybercrime and is a good place to start.

The bottom line is that cybercrime continues to grow more common and serious while cybercriminals are becoming more professional. Not that long ago the archetypal hacker was a teenager looking for adventure and recognition among peers, not necessarily a monetary payoff.

Now a hacker is much more likely to be a member of an organized criminal group using specialized training and tools for financial gain.

Some of the details in the CA report are surprising and show how the web and cybercrime are evolving. For example:


So what should we do about all this? Here are some general ideas that should influence both how you think about security, and what specific actions you take.

Thinking about security in this way means you will be safer. It also means PCI compliance will easily follow. That's how it's supposed to work: PCI is essentially a health check, and the best way to pass a health check is to stop thinking about the test so much and concentrate on getting healthy.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. ( He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at or 801-599 3454.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios