GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Giving has no season


Industry Update

NFC race heating up

Proximity mobile payments get closer

VeriFone pays $485 million in stock for Hypercom


Visa makes pitch for U.S. microlending

$60 million to fuel small business lending

BAI Retail Delivery 2010: All about retail banking in the 21st century

Ed McLaughlin

Research Rundown

The top 25 U.S.-based charities

Selling Prepaid

Prepaid in brief

Visa pushing prepaid cards for undeserved

Patti Murphy
Inside Microfinance

Gift cards versus the government

Thom Aldredge
World Gift Card


Financing business startups: What ISOs should know

Brandes Elitch
CrossCheck Inc.

PCI changes, incremental step toward industry compliance

Paul Rasori
Secure POS Vendor Alliance


Street SmartsSM:
Enlightening talk about gateways

Ken Musante
Eureka Payments LLC

Stay tuned to your needs when selling

Jeff Fortney
Clearent LLC

Ensuring sales and marketing success in 2011

Peggy Bekavac Olson
Strategic Marketing

PCI: The year in review, the year to come

Tim Cranny
Panoptic Security Inc.

Company Profile


New Products

Preparing for 1099-K

Data Delivery Services Inc.


Give the gift of knowledge



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

December 13, 2010  •  Issue 10:12:01

previous next

PCI: The year in review, the year to come

By Tim Cranny

With the new year approaching, it's good time to step back and review what 2010 was like for the Payment Card Industry (PCI) Data Security Standard (DSS) compliance program, and look at what has gone right, what has gone wrong, and what ISOs, banks, and the rest of the payments industry should expect in the coming year.

2010 in review

The year 2010 was basically one of steady, unspectacular progress: the standard itself was expanded and refined to some degree, and the industry as a whole saw incremental improvement in the compliance and validation rates across the board.

Also, another year's worth of exposure made PCI more familiar to merchants, their banks and ISOs, and security issues became a more routine "part of doing business" for everyone. All of this is real progress that directly serves the ultimate goal of PCI: to protect cardholders, their privacy and their transactions.

As described, this might sound like a fairly mediocre year in many ways, but it's probably unrealistic to ask for much more.

A program such as PCI is very hard to implement; it asks busy people to do difficult, inconvenient things for obscure reasons, all in the middle of tough economic times. (And you can't implore merchants to take time to understand the relevant issues because the challenge is getting them to devote any time to PCI in the first place.)

A core issue with PCI remains the fact that it demands expertise from merchants, and the majority of merchants simply do not have that expertise, nor do they have an easy way of obtaining it.

This is particularly a problem for Level 4 merchants, and while some companies know how to solve this problem, the industry as a whole is still trying to come to grips with it.

A matter of speed

During 2010, other trends also became more visible. One such trend is that as PCI matures, it gains weight and inertia as a growing set of expectations, documentation and processes, and that makes it harder to make changes nimbly and swiftly. Doing so would confuse a lot of people in the industry and would likely be seen as a show of inconsistency, not a show of initiative.

Pushing too hard to change course too quickly at this point is guaranteed to create nothing but a backlash, which would be counterproductive.

Thus a genuine structural problem exists because on the one hand, the standard can't change too quickly without giving everyone whiplash.

But at the same time, the underlying reality can and does change quickly. (This relates to the speed with which technology changes and the fact that security is always an arms race or fight between the "good guys" and "bad guys."

The security situation changes continually for the same reason football players move around all the time: they're trying to get past or to stop the opposition.)

This all means there are only two simple choices for PCI: "too slow" or "too fast" - either move too slowly to deal with the real threats and changes to the security world, or move too quickly to be acceptable as a formal process.

The response to this from the PCI Security Standards Council in 2010 - and it's the right one - has been to gradually evolve PCI away from either of these simple choices toward something that is more complicated, but also is consistent and flexible enough to deal with these issues.

This risk-based approach will take some years to coalesce, but when it does, the standard will be structurally better at dealing with this core issue.

What worked and what didn't

Another change that we saw in 2010 is that the industry now has enough history with PCI for first-generation solutions and approaches to have built up a track record, and we can see which ones work well and which do not.

Understandably, significant change or disruption has occurred in the Qualified Security Assessor (QSA) space, because consulting is a fairly mature, stable type of business; however, dealing with Level 4 merchants is a complicated business, and one where old, established solutions do not exist.

There are signs that the early companies that moved into the QSA space are being supplanted by later, more sophisticated and feature-rich alternatives.

We see a steady migration of ISOs and banks away from these first movers and expect this trend to continue throughout 2011, with simplistic web-form based solutions being replaced by solutions that recognize that ISOs and banks need tools and resources to help them implement soup-to-nuts, long-term PCI programs.

What 2011 will bring

Ideally, the new year will be a continuation of the old, not because 2010 was such a wild success, but because continuity and incremental change is the only viable strategy for a maturing standard such as PCI.

The changes we expect to see to the standard and the industry include:

PCI is a messy combination of technology, security, politics and money issues, but ISOs and others who prepare for the coming changes will have a simpler, more successful year ahead.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. ( He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at or 801-599 3454.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios