The Green Sheet Online Edition
October 13, 2008 • Issue 08:10:01
Escaping the PCI maze
ISOs are beginning to focus on the issues raised by the Payment Card Industry (PCI) Data Security Standard (DSS), but many of them are finding the compliance process confusing and frustrating.
It's not surprising: Some of the challenges are serious - and seriously complicated - and instead of there being a single solution, there's a patchwork of different advisors, vendors, consultants and technologies. However, some ISOs are handling the challenge gracefully. By learning from them, other ISOs can reduce the effort and distraction of PCI compliance and, at the same time, improve their results.
The ISOs who are handling the situation well are those who are not getting buried in the technical details. Instead, they are deciding first on a strategy for PCI compliance. Then, and only then, they deal with the various technical details applicable to them.
Basically, ISOs and others affected by PCI have four choices. They can:
- Do nothing
- Pass the buck
- Take care of compliance themselves
- Selectively partner with specialists to take the burden off themselves
The do-nothing approach is the historical favorite, but it is rapidly disappearing as an option. The PCI DSS is deliberately being rolled out in an incremental way, and both its scope (the number of issues covered by it) and the number of merchants explicitly targeted by it are increasing every year.
ISOs who ignore PCI are not only exposing themselves to increased financial and legal risk, but also increased business risk to their portfolio. This is because PCI is increasingly an explicit merchant pain, and ignoring the issue means falling behind those ISOs that do act to help their portfolios.
Additionally, failing to act means failing to seize a real opportunity: turning PCI compliance into a business and financial positive.
Pass the buck
The next option, passing the buck down to the merchants in the portfolio, sounds like an easy way out. But it simply doesn't work in practice. The focus of PCI is being expanded to increasingly include smaller merchants, and these merchants are completely unable to manage PCI if their ISOs dump the issue in their laps.
Small merchants typically have even less expertise in security and compliance than their ISOs, so if they're told to sink or swim, many of them will sink by ignoring the issue, hoping it goes away.
If they don't ignore the issue, they'll run headfirst into the brick wall of not even knowing what many of the questions mean. Then they'll swamp their ISOs with questions and demands for help (something we've seen happen several times recently). Either way, the ISO hasn't dealt with the problem.
And finally, passing the buck does nothing to address the final two weaknesses of the do-nothing approach: It leaves you at a competitive disadvantage relative to other ISOs who do help their merchants, and it fails to seize the opportunity to make money from PCI.
The do-it-yourself option means putting together a comprehensive in-house PCI program, complete with PCI compliance experts, appropriate software tools, security solutions and technical support for merchants. Large ISOs may have the resources to pull this off. But for most small ISOs, this would be a misguided change in business focus and require a huge initial investment of time, and money. Very few ISOs have gone down this path, and it is unlikely that very many ever will.
The final alternative, partnering with suitable specialists, is likely to emerge as the dominant solution. If done right it can thoroughly address the problem without requiring that the ISO make a massive investment of time, money and focus. And those who select this option must select their partners wisely.
Before choosing a partner, ISOs should first figure out what gaps they are looking to fill with a partnership. Is it a specific technology issue that can be resolved quickly by a knowledgeable vendor, or is it a more fundamental matter of finding someone to provide merchants with expert assistance and guidance?
If it is the latter, be wary of partnering directly with one of the many technology-focused companies that sell hardware or software, or narrow technical services like network scans. These companies often provide a valuable and necessary service, but they only solve one small piece of the puzzle.
If you're not a security expert, how do you even know which partners are good, and which are bad, to begin with? ISOs who have dealt with this problem successfully have typically fallen into one of two categories:
- They had enough security/compliance expertise in-house, so it was relatively easy for them to plug their few remaining gaps.
- They elected to work with a partner and chose an "expertise partner" rather than just a "technology partner." And they used their partner to help fill specific technology gaps. This option shifts the burden of expert judgment to the right place and helps ISOs avoid a number of hidden pitfalls.
If you are leaning toward the second category, you need to realize that not all expertise partners are created equal. Some are good, some are bad, but more importantly, some simply aren't a good fit for your particular portfolio.
For example, partners who specialize in Qualified Security Assessor work are specialists in dealing with larger merchants. They are ideal for relatively small portfolios where the majority of merchants are large, high-value and highly demanding.
The fit with a portfolio containing a high percentage of smaller merchants is obviously not going to be as good. ISOs should instead look for a company that specializes in that (very different) customer base.
Bring in the money
Fortunately, finding the right PCI expertise partner does not have to involve financial pain: It can, in fact, create a completely new revenue stream for you through revenue sharing.
If your partner can reach the merchants in your portfolio at the right price and can deal with the scalability issues of many thousands of merchants - and neither of these are as easy as they sound - good revenue streams can be built up in the traditional way: by giving your merchants valuable services and charging for it.
To get your PCI strategy right, remember the following:
- PCI isn't going away; it's growing and maturing.
- ISOs and others who do nothing about PCI compliance can have significant legal and financial exposure.
- Your competitors are doing something about PCI, so you run the risk of falling behind if you delay.
- If you don't have any expertise in security and compliance, that's the core challenge for you. Technology boils down to details to be sorted out after you (or someone helping you) know what you are doing.
- You don't have to do it yourself. There are several companies that specialize in giving you, and your merchants, the expertise you need.
- A quick-and-dirty solution, such as simply putting the Self Assessment Questionnaires up on the Web, can create a support nightmare because som one, somewhere, has to actively help the merchants through the process of filling out the questionnaires.
- Ensuring your company's and your portfolio's PCI compliance doesn't have to cost you money. If you find the right partner, you can make money through revenue sharing.
Keeping these points in mind can help you get through the PCI maze without losing valuable time and money.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at firstname.lastname@example.org or 801-599 3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.