By Tim Cranny
Panoptic Security Inc.
ISOs are beginning to focus on the issues raised by the Payment Card Industry (PCI) Data Security Standard (DSS), but many of them are finding the compliance process confusing and frustrating.
It's not surprising: Some of the challenges are serious - and seriously complicated - and instead of there being a single solution, there's a patchwork of different advisors, vendors, consultants and technologies. However, some ISOs are handling the challenge gracefully. By learning from them, other ISOs can reduce the effort and distraction of PCI compliance and, at the same time, improve their results.
The ISOs who are handling the situation well are those who are not getting buried in the technical details. Instead, they are deciding first on a strategy for PCI compliance. Then, and only then, they deal with the various technical details applicable to them.
Basically, ISOs and others affected by PCI have four choices. They can:
The do-nothing approach is the historical favorite, but it is rapidly disappearing as an option. The PCI DSS is deliberately being rolled out in an incremental way, and both its scope (the number of issues covered by it) and the number of merchants explicitly targeted by it are increasing every year.
ISOs who ignore PCI are not only exposing themselves to increased financial and legal risk, but also increased business risk to their portfolio. This is because PCI is increasingly an explicit merchant pain, and ignoring the issue means falling behind those ISOs that do act to help their portfolios.
Additionally, failing to act means failing to seize a real opportunity: turning PCI compliance into a business and financial positive.
The next option, passing the buck down to the merchants in the portfolio, sounds like an easy way out. But it simply doesn't work in practice. The focus of PCI is being expanded to increasingly include smaller merchants, and these merchants are completely unable to manage PCI if their ISOs dump the issue in their laps.
Small merchants typically have even less expertise in security and compliance than their ISOs, so if they're told to sink or swim, many of them will sink by ignoring the issue, hoping it goes away.
If they don't ignore the issue, they'll run headfirst into the brick wall of not even knowing what many of the questions mean. Then they'll swamp their ISOs with questions and demands for help (something we've seen happen several times recently). Either way, the ISO hasn't dealt with the problem.
And finally, passing the buck does nothing to address the final two weaknesses of the do-nothing approach: It leaves you at a competitive disadvantage relative to other ISOs who do help their merchants, and it fails to seize the opportunity to make money from PCI.
The do-it-yourself option means putting together a comprehensive in-house PCI program, complete with PCI compliance experts, appropriate software tools, security solutions and technical support for merchants. Large ISOs may have the resources to pull this off. But for most small ISOs, this would be a misguided change in business focus and require a huge initial investment of time, and money. Very few ISOs have gone down this path, and it is unlikely that very many ever will.
The final alternative, partnering with suitable specialists, is likely to emerge as the dominant solution. If done right it can thoroughly address the problem without requiring that the ISO make a massive investment of time, money and focus. And those who select this option must select their partners wisely.
Before choosing a partner, ISOs should first figure out what gaps they are looking to fill with a partnership. Is it a specific technology issue that can be resolved quickly by a knowledgeable vendor, or is it a more fundamental matter of finding someone to provide merchants with expert assistance and guidance?
If it is the latter, be wary of partnering directly with one of the many technology-focused companies that sell hardware or software, or narrow technical services like network scans. These companies often provide a valuable and necessary service, but they only solve one small piece of the puzzle.
If you're not a security expert, how do you even know which partners are good, and which are bad, to begin with? ISOs who have dealt with this problem successfully have typically fallen into one of two categories:
If you are leaning toward the second category, you need to realize that not all expertise partners are created equal. Some are good, some are bad, but more importantly, some simply aren't a good fit for your particular portfolio.
For example, partners who specialize in Qualified Security Assessor work are specialists in dealing with larger merchants. They are ideal for relatively small portfolios where the majority of merchants are large, high-value and highly demanding.
The fit with a portfolio containing a high percentage of smaller merchants is obviously not going to be as good. ISOs should instead look for a company that specializes in that (very different) customer base.
Fortunately, finding the right PCI expertise partner does not have to involve financial pain: It can, in fact, create a completely new revenue stream for you through revenue sharing.
If your partner can reach the merchants in your portfolio at the right price and can deal with the scalability issues of many thousands of merchants - and neither of these are as easy as they sound - good revenue streams can be built up in the traditional way: by giving your merchants valuable services and charging for it.
To get your PCI strategy right, remember the following:
Keeping these points in mind can help you get through the PCI maze without losing valuable time and money.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at firstname.lastname@example.org or 801-599 3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next