By Tim Cranny
Panoptic Security Inc.
By now, most of us know the basic history of the Payment Card Industry (PCI) Data Security Standard (DSS). In the early days, the industry focused on bringing large, Level 1 merchants into compliance with the standard.
This produced high levels of success, primarily because Level 1 businesses have security and information technology experts on staff.
The program slowly expanded to smaller merchants - Level 2 and Level 3 organizations - but showed diminishing success the closer it came to the smallest, Level 4 businesses. Now, progress with PCI compliance has slowed significantly; some would say it's even ground to a halt, especially when dealing head-on with Level 4 merchants.
Why? To explain, I propose this analogy: for a small merchant, the PCI process is like having a colonoscopy.
Surveys show that merchants consider PCI a "check-off" item and a nuisance replete with mysterious processes and requirements. A colonoscopy is a medical procedure that provides a health check at only one moment and needs to be repeated over time to ensure continued health.
Like patients in need of colonoscopies, most merchants don't understand that PCI needs to be a regularly repeated process, that the risks it deals with are real and substantial, and that the worst-case scenario is potentially life-ending for businesses.
Recent surveys report that close to 50 percent of small merchants can't explain the basics of the PCI DSS. Not only are these merchants not compliant, they don't even know what compliance consists of.
My colleagues and I speak regularly with multiple industry sources, and the consistent picture we see is that most Level 4 PCI programs have a compliance rate of around 10 percent.
Even Visa Inc.'s recent statistics gave specific validation percentages only for merchants in Levels 1 through 3. But for Level 4 merchants, Visa said only that compliance is moderate, with the following footnote: "Level 4 compliance is moderate among stand-alone terminal merchants, but lower among merchants using integrated payment applications [emphasis added]."
I suspect many ISOs, processors, acquirers and payment brands use sanitized words like "moderate" or "lower" because they sound better than saying "really, truly bad."
Opinions vary as to why this stall is occurring among small merchants. But one reason is that Level 4 companies have little or no access to security experts, technical help and network administrators. For most small merchants, the PCI DSS and Self-Assessment Questionnaires (SAQs) may as well be written in Swahili.
So I propose we payment professionals and data security experts ask ourselves, How do we convince more merchants to get their regular security colonoscopies?
Obvious tactics include carrot and stick approaches. A carrot could be offered in the form of cheaper PCI processes and lower fee structures for those who comply.
The stick approach would be reserved for merchants who don't respond to the carrot: they could face large noncompliance fees for failure to comply.
Neither of these solutions will ever work without substantially increasing the dollar penalties, which could interfere with the entire payments industry in unforeseen ways.
Make the penalties too big and merchants may seek uncaring, reckless service providers that don't require PCI compliance or just run fake, "everyone passes" programs.
Yet keeping fees reasonable does not provide the requisite motivation needed to get merchants to execute the thorny PCI process. Even if the process were free, what would happen? Do we really think we'd get Black Friday-sized crowds at Free PCI Colonoscopy Day?
Instead, we need to start by acknowledging the core structural problem. PCI compliance is frustrating, confusing and scary for merchants because they are usually lost when it comes to understanding what the PCI DSS is asking them to do. As a simple experiment, I opened SAQ D Version 2.0 at a random spot. The first question I found was 4.2, which discusses wireless encryption and 802.11i.
The issues it raises are perfectly real. But 99 percent of merchants don't know a thing about encryption or the IEEE Standards Association and naming conventions. Do we really expect them to become diligent amateur encryption experts?
Merchants don't understand the terms and implications of the standard. They also vastly underestimate the risks, and most couldn't answer the questions accurately if they tried. You'd be a lot more likely to agree to a colonoscopy if the doctor:
It doesn't work to simply ignore the details; data security problems are real, and addressing them is often a technically messy process. But the merchant doesn't have to be
the expert. Software that takes the burden of expertise off the merchant might be the answer.
Just as Intuit Inc.'s TurboTax software protects tax filers from the complexities of the raw tax code, I believe the solution to the Level 4 compliance problem is to provide clever PCI software that protects merchants from the pain and stress of the PCI DSS.
So how do you design software that handles the problem of busy merchants who lack technological savvy? The SAQ process needs to be re-emvisioned and presented to merchants from their perspective.
We need to give them language that they understand, ways to avoid questions that don't really apply to them and expert tools that invisibly guide them to the right answers. I have found that by supplying these, payment professionals can:
Using such an expert system technology can boost compliance rates. It can pinpoint in detail places where merchants are falling out of the program so corrective steps can be taken immediately.
And when seeking to pinpoint compliance pitfalls, here's an illuminating question to ask: What is the overwhelming reason why merchants do not complete their PCI compliance? My experience shows the answer is that they never log into the compliance software in the first place.
This presents us with a new problem, but one that is easier to manage. In order to drive compliance percentages above 49 percent, we must find a way to get merchants to log in. This is where those carrots and sticks come in.
The need for progress also begs the question: Is it counterproductive for the whole industry when PCI vendors hide their compliance results? With secrecy, how will we ever know what works and what doesn't?
Maybe ignoring the fee issue and focusing on the real barriers to success will help get more patients into the doctor's office.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at email@example.com or 801-599-3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next