GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

New federal watchdog eyes prepaid cards


Industry Update

Heartland nearing closure on breach after favorable ruling

Forensics expert, Google differ on Wallet security

The future of contactless payments

Payment predictions for 2012


PCI SSC rolls out new SIGs

Highlights from Inside Microfinance

Patti Murphy
ProScribes Inc.

Show us the money! - Growing business online by accepting more forms of payment

Brian Crozier

Research Rundown

Online shopping up for holiday season 2011

Lessons from the lemonade stand

Selling Prepaid

Prepaid in brief

Banks exhibit 'appetite for prepaid'

The game card opportunity beyond U.S. borders


Street SmartsSM:
The Durbin Amendment: Bust or boon for the industry?

Bill Pirtle
C3ET Credit Card Consortia for Education & Training Inc.

Kick off 2012 with a plan for success

Peggy Bekavac Olson
Strategic Marketing

Keep it honest in 2012

Jeff Fortney
Clearent LLC

PCI: The year in review, the year to come

Tim Cranny
Panoptic Security Inc.

Company Profile

RocketPay LLC

PAX Technology Inc.

New Products

Going global with online payments

Global Gateway e4
First Data Corp.

A platform for multichannel retailers

Multi-Channel Retail Management Suite
Retail Anywhere


Work through discomfort, expand your reach


10 Years ago in
The Green Sheet


Resource Guide



2012 Calendar of events

A Bigger Thing

The Green Sheet Online Edition

January 09, 2012  •  Issue 12:01:01

previous next

PCI: The year in review, the year to come

By Tim Cranny

The start of the new year is a good time to review what 2011 was like for implementation of the Payment Card Industry (PCI) Data Security Standard (DSS). I especially want to revisit what has gone well, what has gone wrong, and what ISOs, banks and the rest of the payment card industry should expect in the coming year.

How we did in 2011

The year just finished contained several elements of steady but unspectacular progress: minor updates to the PCI DSS and Self-Assessment Questionnaires (SAQs) were rolled out to Level 4 merchants and generally caused little disruption. Also, the industry saw incremental improvement in compliance and validation; it's probably unrealistic to ask for much more.

A program like the PCI DSS is very hard to make work. It asks busy people to do difficult, inconvenient things for obscure reasons, all in the middle of tough economic times. And we can't assume the difficulties would disappear if merchants took the time to understand the issues, because the challenge is getting them to take the time in the first place.

One of the core issues with the PCI DSS is that it demands expertise from merchants. But most merchants simply do not have that expertise - or any easy way of getting it. This is particularly a problem for Level 4 merchants. And while some companies know how to solve this, the industry as a whole is still trying to come to grips with it.

First gear or overdrive?

The year just ended saw some other trends continue to become more visible. At the end of 2010, I predicted that 2011 would see growing tension between a slow-moving standard like the PCI DSS and a fast-moving industry. That has certainly proven to be the case.

On the one hand, the standard can't change too quickly without giving everyone whiplash. On the other hand, the underlying realities of our industry are changing quickly due to things like tokenization, virtualization and mobile payments. This presents only two real choices for the development of the PCI standard: too slow or too fast.

Moving too slowly fails to deal with the real threats and changes to the security world, while acting too swiftly is unacceptable for a formal process. We have found no easy answer to this.

What I can see working is a continued evolution of the standard toward a more complete, risk-based approach. Doing so is more complicated and less able to produce simple universal answers, but it is the only approach that has the required flexibility. This evolution will take years to achieve. But when it does, the standard will be structurally better at dealing with this central tension.

We saw other changes to the industry in 2011. As could have been predicted, the Qualified Security Assessor space continues to be a relatively mature, stable business. But dealing with Level 4 merchants remains a far more complicated business.

At the end of 2010, we started to see evidence of a slow but steady migration of ISOs and banks from simplistic, web-form-based SAQs to more feature-rich solutions. The latter demonstrate that ISOs and banks need tools and resources to help them implement soup-to-nuts, long-term PCI programs.

What will 2012 bring?

I hope the new year will be a continuation of the old - not because 2011 was such a wild success, but because continuity and incremental change are the only viable strategies for a maturing standard like the PCI DSS. The changes to the standard and the industry that I expect to see include:

Nothing is certain with things like the PCI DSS, which is a messy combination of technology, security, politics and money issues. But I am confident that those who prepare for the coming changes will have a simpler, more successful year ahead.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. ( He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at or 801-599-3454.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios