GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

The Green Sheet turns 25


Industry Update

Payment ship navigates economic storm

A new PCI day

Moneris to acquire Humboldt

Revolution heats up

WSAA wows in paradise

When the pen is mightier than e-mail

Biff Matthews
CardWare International

Gift and loyalty, the year-end accelerant

Christian Murray
Global eTelecom Inc.


When the pen is mightier than e-mail

Biff Matthews
CardWare International

No denial, no surrender

Scott Henry


Street SmartsSM:
A day in the life of a successful MLS

Jason Felts
Advanced Merchant Services

Who moved my merchants?

Jeff Fortney
Clearent LLC

Gift and loyalty, the year-end accelerant

Christian Murray
Global eTelecom Inc.

The how, when, why of recruitment outsourcing

Curt Hensley
CSH Consulting

Escaping the PCI maze

Tim Cranny
Panoptic Security Inc.

Company Profile

International Merchant Solutions LLC

New Products

Out of the shoebox, into the server

Charge Anywhere Electronic
Wireless Signature Capture

Shield terminals in sticky situations

ExoShield Terminal Cover
Inventor: Michael Katsanevas


Shaping the story


Payments in brief: 1983 to 2008





Higher risks mean higher rewards

Resource Guide


A Bigger Thing

The Green Sheet Online Edition

October 13, 2008  •  Issue 08:10:01

previous next

Escaping the PCI maze

By Tim Cranny

ISOs are beginning to focus on the issues raised by the Payment Card Industry (PCI) Data Security Standard (DSS), but many of them are finding the compliance process confusing and frustrating.

It's not surprising: Some of the challenges are serious - and seriously complicated - and instead of there being a single solution, there's a patchwork of different advisors, vendors, consultants and technologies. However, some ISOs are handling the challenge gracefully. By learning from them, other ISOs can reduce the effort and distraction of PCI compliance and, at the same time, improve their results.

The ISOs who are handling the situation well are those who are not getting buried in the technical details. Instead, they are deciding first on a strategy for PCI compliance. Then, and only then, they deal with the various technical details applicable to them.

Basically, ISOs and others affected by PCI have four choices. They can:

  1. Do nothing
  2. Pass the buck
  3. Take care of compliance themselves
  4. Selectively partner with specialists to take the burden off themselves

Do nothing

The do-nothing approach is the historical favorite, but it is rapidly disappearing as an option. The PCI DSS is deliberately being rolled out in an incremental way, and both its scope (the number of issues covered by it) and the number of merchants explicitly targeted by it are increasing every year.

ISOs who ignore PCI are not only exposing themselves to increased financial and legal risk, but also increased business risk to their portfolio. This is because PCI is increasingly an explicit merchant pain, and ignoring the issue means falling behind those ISOs that do act to help their portfolios.

Additionally, failing to act means failing to seize a real opportunity: turning PCI compliance into a business and financial positive.

Pass the buck

The next option, passing the buck down to the merchants in the portfolio, sounds like an easy way out. But it simply doesn't work in practice. The focus of PCI is being expanded to increasingly include smaller merchants, and these merchants are completely unable to manage PCI if their ISOs dump the issue in their laps.

Small merchants typically have even less expertise in security and compliance than their ISOs, so if they're told to sink or swim, many of them will sink by ignoring the issue, hoping it goes away.

If they don't ignore the issue, they'll run headfirst into the brick wall of not even knowing what many of the questions mean. Then they'll swamp their ISOs with questions and demands for help (something we've seen happen several times recently). Either way, the ISO hasn't dealt with the problem.

And finally, passing the buck does nothing to address the final two weaknesses of the do-nothing approach: It leaves you at a competitive disadvantage relative to other ISOs who do help their merchants, and it fails to seize the opportunity to make money from PCI.


The do-it-yourself option means putting together a comprehensive in-house PCI program, complete with PCI compliance experts, appropriate software tools, security solutions and technical support for merchants. Large ISOs may have the resources to pull this off. But for most small ISOs, this would be a misguided change in business focus and require a huge initial investment of time, and money. Very few ISOs have gone down this path, and it is unlikely that very many ever will.

Partner up

The final alternative, partnering with suitable specialists, is likely to emerge as the dominant solution. If done right it can thoroughly address the problem without requiring that the ISO make a massive investment of time, money and focus. And those who select this option must select their partners wisely.

Before choosing a partner, ISOs should first figure out what gaps they are looking to fill with a partnership. Is it a specific technology issue that can be resolved quickly by a knowledgeable vendor, or is it a more fundamental matter of finding someone to provide merchants with expert assistance and guidance?

If it is the latter, be wary of partnering directly with one of the many technology-focused companies that sell hardware or software, or narrow technical services like network scans. These companies often provide a valuable and necessary service, but they only solve one small piece of the puzzle.

If you're not a security expert, how do you even know which partners are good, and which are bad, to begin with? ISOs who have dealt with this problem successfully have typically fallen into one of two categories:

  1. They had enough security/compliance expertise in-house, so it was relatively easy for them to plug their few remaining gaps.

  2. They elected to work with a partner and chose an "expertise partner" rather than just a "technology partner." And they used their partner to help fill specific technology gaps. This option shifts the burden of expert judgment to the right place and helps ISOs avoid a number of hidden pitfalls.

Note distinctions

If you are leaning toward the second category, you need to realize that not all expertise partners are created equal. Some are good, some are bad, but more importantly, some simply aren't a good fit for your particular portfolio.

For example, partners who specialize in Qualified Security Assessor work are specialists in dealing with larger merchants. They are ideal for relatively small portfolios where the majority of merchants are large, high-value and highly demanding.

The fit with a portfolio containing a high percentage of smaller merchants is obviously not going to be as good. ISOs should instead look for a company that specializes in that (very different) customer base.

Bring in the money

Fortunately, finding the right PCI expertise partner does not have to involve financial pain: It can, in fact, create a completely new revenue stream for you through revenue sharing.

If your partner can reach the merchants in your portfolio at the right price and can deal with the scalability issues of many thousands of merchants - and neither of these are as easy as they sound - good revenue streams can be built up in the traditional way: by giving your merchants valuable services and charging for it.

To get your PCI strategy right, remember the following:

Keeping these points in mind can help you get through the PCI maze without losing valuable time and money.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. ( He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at or 801-599 3454.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios