A Thing
The Green SheetGreen Sheet
Subscribe
Sign in

The Green Sheet Online Edition

January 09, 2012 • Issue 12:01:01

PCI: The year in review, the year to come

By Tim Cranny
Panoptic Security Inc.

The start of the new year is a good time to review what 2011 was like for implementation of the Payment Card Industry (PCI) Data Security Standard (DSS). I especially want to revisit what has gone well, what has gone wrong, and what ISOs, banks and the rest of the payment card industry should expect in the coming year.

How we did in 2011

The year just finished contained several elements of steady but unspectacular progress: minor updates to the PCI DSS and Self-Assessment Questionnaires (SAQs) were rolled out to Level 4 merchants and generally caused little disruption. Also, the industry saw incremental improvement in compliance and validation; it's probably unrealistic to ask for much more.

A program like the PCI DSS is very hard to make work. It asks busy people to do difficult, inconvenient things for obscure reasons, all in the middle of tough economic times. And we can't assume the difficulties would disappear if merchants took the time to understand the issues, because the challenge is getting them to take the time in the first place.

One of the core issues with the PCI DSS is that it demands expertise from merchants. But most merchants simply do not have that expertise - or any easy way of getting it. This is particularly a problem for Level 4 merchants. And while some companies know how to solve this, the industry as a whole is still trying to come to grips with it.

First gear or overdrive?

The year just ended saw some other trends continue to become more visible. At the end of 2010, I predicted that 2011 would see growing tension between a slow-moving standard like the PCI DSS and a fast-moving industry. That has certainly proven to be the case.

On the one hand, the standard can't change too quickly without giving everyone whiplash. On the other hand, the underlying realities of our industry are changing quickly due to things like tokenization, virtualization and mobile payments. This presents only two real choices for the development of the PCI standard: too slow or too fast.

Moving too slowly fails to deal with the real threats and changes to the security world, while acting too swiftly is unacceptable for a formal process. We have found no easy answer to this.

What I can see working is a continued evolution of the standard toward a more complete, risk-based approach. Doing so is more complicated and less able to produce simple universal answers, but it is the only approach that has the required flexibility. This evolution will take years to achieve. But when it does, the standard will be structurally better at dealing with this central tension.

We saw other changes to the industry in 2011. As could have been predicted, the Qualified Security Assessor space continues to be a relatively mature, stable business. But dealing with Level 4 merchants remains a far more complicated business.

At the end of 2010, we started to see evidence of a slow but steady migration of ISOs and banks from simplistic, web-form-based SAQs to more feature-rich solutions. The latter demonstrate that ISOs and banks need tools and resources to help them implement soup-to-nuts, long-term PCI programs.

What will 2012 bring?

I hope the new year will be a continuation of the old - not because 2011 was such a wild success, but because continuity and incremental change are the only viable strategies for a maturing standard like the PCI DSS. The changes to the standard and the industry that I expect to see include:

  • Continuing challenges for the industry in adapting to the challenges and disruption caused by mobile payments and other emerging technologies

  • A corresponding continuation in the slow move toward a more risk-based approach to security

  • An escalation in attacks against small merchants - driven, incidentally, by the success of the PCI's efforts in improving security at larger merchants; attackers are now shifting focus to the more vulnerable smaller merchants

  • A growing recognition that smaller merchants need PCI programs that are more sophisticated and comprehensive than some of the older solutions still in use today

  • Higher expectations of ISOs, acquirers and others regarding their PCI programs for smaller merchants

  • A greater emphasis on explicit metrics for defining and tracking success with PCI programs

  • Market consolidation and simplification, driven in part by a move by the large players away from vendor-based solutions and toward internally provided applications

  • Growth in the international nature of the PCI DSS, with other parts of the developed world starting to catch up with the United States

Nothing is certain with things like the PCI DSS, which is a messy combination of technology, security, politics and money issues. But I am confident that those who prepare for the coming changes will have a simpler, more successful year ahead. end of article

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at tim.cranny@panopticsecurity.com or 801-599-3454.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
Facebook
Twitter
LinkedIn

Current Issue

View Archives
View Flipbook

Table of Contents

Lead Story
New federal watchdog eyes prepaid cards
News
Industry Update
Heartland nearing closure on breach after favorable ruling
Forensics expert, Google differ on Wallet security
The future of contactless payments
Payment predictions for 2012
Features
PCI SSC rolls out new SIGs
Highlights from Inside Microfinance
Patti Murphy , ProScribes Inc.
Show us the money! - Growing business online by accepting more forms of payment
Brian Crozier , UseMyServices.com
Research Rundown
ISOMetrics:
Online shopping up for holiday season 2011
Lessons from the lemonade stand
Selling Prepaid
Prepaid in brief
Banks exhibit 'appetite for prepaid'
The game card opportunity beyond U.S. borders
Education
Street SmartsSM:
The Durbin Amendment: Bust or boon for the industry?
Bill Pirtle , C3ET Credit Card Consortia for Education & Training Inc.
Kick off 2012 with a plan for success
Peggy Bekavac Olson , Strategic Marketing
Keep it honest in 2012
Jeff Fortney , Clearent LLC
PCI: The year in review, the year to come
Tim Cranny , Panoptic Security Inc.
Company Profile
RocketPay LLC
PAX Technology Inc.
New Products
Going global with online payments
Global Gateway e4 , First Data Corp.
A platform for multichannel retailers
Multi-Channel Retail Management Suite , Retail Anywhere
Inspiration
Work through discomfort, expand your reach
Departments
10 Years ago in
The Green Sheet
Forum
Resource Guide
Datebook
Miscellaneous
2012 Calendar of events
A Thing