GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Securing a place for EMV in the USA

Patti Murphy
The Takoma Group


Industry Update

PCI seeks ISO nominations for advisory board

A new wave of mobility

Defying the dragons

Cyber security concerns


GS Advisory Board:
Game changers for 2011 - Part 1

The power of selling at the top

Research Rundown

Selling Prepaid

Prepaid in brief

A phone card opportunity calls

Jeffrey Shavitz
Charge Card Systems Inc.

Will gift cards no longer be sold in New Jersey?


What does a processor do?

Brandes Elitch
CrossCheck Inc.


Street SmartsSM:
Gaining wisdom from mistakes

Ken Musante
Eureka Payments LLC

Approaching Asia

Donna Sesto Neary

Leads, leads, leads - Part 1: Lead generation

Peggy Bekavac Olson
Strategic Marketing

PCI vendor selection

Tim Cranny
Panoptic Security Inc.

The risks of riding the gravy train

Jeff Fortney
Clearent LLC

Company Profile

USA ePay

New Products

Receipt paper takes on the rainbow

Colored receipt paper rolls
POS Supply Solutions


Thriving in a multicultural environment


10 Years ago in
The Green Sheet


Resource Guide


A Bigger Thing

The Green Sheet Online Edition

February 14, 2011  •  Issue 11:02:01

previous next

PCI vendor selection

By Tim Cranny

As compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) becomes a normal part of doing business, security solutions and products are emerging from obscurity to become business and legal necessities.

For an ISO, merchant level salesperson (MLS), bank, processor or other service provider, this means being exposed to a strange new world of techno-babble and a crowd of security vendors all competing for your attention.

But which solutions do you need? What's the right strategy for tying together all these different products? Which vendors should you work with? And where can you find assistance with this sometimes intimidating process?

Fortunately, remembering a few key ideas will help you understand more about this new world, so you can answer these questions and help ensure you are investing time and effort wisely.

QSAs and ASVs

The first step in dealing with PCI is to understand at a high level the types of solutions and services that exist. The oldest and most obvious types of PCI vendor are the Qualified Security Assessors (QSAs) and the Approved Scanning Vendors (ASVs).

QSAs are essentially consulting companies that have been trained and certified to perform detailed on-site audits. Their business model is naturally hard to scale and expensive, which makes them appropriate for large, complicated organizations. However, they are essentially irrelevant if you're trying to deal with a portfolio containing a large number of smaller merchants.

ASVs are companies that have been certified to conduct network scans of merchants' websites and applications. These scans look for software or network problems that might expose cardholder data.

While the quarterly scan requirement is critical, passing such a scan does not mean a merchant has passed PCI; it just means one of many requirements has been met. The ASV business model and execution is naturally more scalable than that of a QSA, but it is inherently less comprehensive.

Because of the constraints of their business models, neither QSAs nor ASVs can solve the needs of the average ISO, MLS or other payment professional whose portfolio contains many small merchants. QSAs and ASVs have their place, but the search for the right vendor partnerships has to extend far beyond them.

Vendors galore

The good news is that the last thing you need to worry about is a lack of vendors and solutions; there are plenty of options to explore. An enormous security industry existed long before PCI was established. It extends far beyond PCI and comprises many hundreds of security vendors. You are in more danger of becoming confused about which one to choose than you are of being stranded without an appropriate choice.

Most of these companies offer what are called point solutions. These products address specific, narrow security requirements such as firewalls, anti-virus solutions, encryption and so on. Many of these vendors use PCI as a way to market their products.

These point solution vendors often try to give the impression that they solve all of the PCI requirements. This might be a good short-term marketing ploy, but it is completely inaccurate. The PCI requirements are so broad and cover so many different issues that they cannot be solved with any one solution, especially a purely technical product.

This is doubly true because PCI covers many soft issues around policies, procedures, training, physical security and similar concerns. This means the answer is not to look for the one, ultimate solution, but instead to build up a bench of preferred solutions, each with its own place and value, but none of which is unduly emphasized over the others.

To build up this bench of solutions requires a lot of security expertise, so each ISO needs either to be a security expert or to partner with one. Having an impartial security partner to help you navigate through the maze of acronyms and technical details makes a lot of sense, since it is dangerous and inefficient to get caught up in premature conversations about end-to-end encryption, 802.1x, IDS/IPS, and so on without the right framework to surround it.

Having a guide will help you learn about the process while receiving assistance in making the right choices.

Points to remember

Here are several things to keep in mind when assessing security vendors:

If you have the right expertise or if you find the right security partner to handle the issues discussed herein, the technical details should fall into place fairly easily.

That means you can greatly diminish the burden and expense of PCI for you and your merchants.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. ( He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at or 801-599-3454.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios