The Payment Card Industry Data Security Standard (PCI) has accomplished a number of meaningful changes in the Payments Industry. It has increased the awareness of security issues in the industry and has generally contributed to an increase in the overall security posture. The jargon of PCI, data security, and compliance has become commonplace, where two years ago it was essentially a foreign language. Companies, and most importantly, customer data has become more secure making customers feel more comfortable in using alternatives to cash payments. That is what the program was intended to accomplish and for that, it should be applauded. An unintended consequence of the creation of the standard, however, has been the cottage industry that has emerged to support compliance.
Evidence of the growing offshoot industry can be found in the list of Qualified Security Assessors (QSAs), those companies that are authorized by the card brands to conduct PCI assessments. Two years ago, that list contained a handful of companies that had been familiar with the payment card protection initiatives in their infancy. Today, that list is twelve pages long and covers the
Northern America, Latin America, the Asia Pacific and Europe.
Additional proof of the lucrative sub-industry created by PCI makes itself known in a variety of ways on a daily basis – webinars, seminars, white papers, marketing materials. The result of the proliferation of people and companies involved in the PCI industry has been the sudden increase in the number of “experts”
offering opinions and advice.
It is not uncommon in today’s marketing collateral to see phrases such as, “Complete PCI Compliance,’ or “Guaranteed Compliance.” This is the equivalent of the ubiquitous “one size fits all” claim generally found inside gloves and ball caps. It is simply not possible that once size of anything will fit everyone. Similarly, it is not possible for one solution or one product to guarantee complete PCI compliance. Such a claim certainly cannot be made without an in- depth understanding of the PCI itself, the industry, and the specific
business model and network topography of the company in question.
Even then the veracity of such a guarantee is dubious at best. The challenge is that some companies that are obligated to comply with
the PCI find these guarantees compelling, and even comforting.
Surely, the idea of making one purchase, implementing one product to completely comply would encourage most to at least investigate the claim.
The speed with which companies must comply, and the very real enforcement of the program, does create vulnerabilities to some Payment Industry companies. Data security has not generally been a “board room” concern. It has been largely the domain of the IT and Information Security groups. This freed the executive staff and directors to concentrate on the company’s core competencies and building competitive advantage in the market. Competitive advantage can now be predicated upon compliance and many in the executive ranks do not have the familiarity with compliance and security that may be desirable in the regulatory age in which we exist. Given these conditions, companies looking to capitalize on the demand created by PCI compliance can take advantage of what can be described as a naiveté.
The “PCI Market,” as many have taken to calling it, has placed a high premium on the opinion of those with PCI experience. To capitalize on this need for information, many companies and individuals have embellished their relationship to the PCI. Some product companies with at best a tangential relationship to compliance have created an
appearance that their product or service is crucial to compliance.
Nor is it not uncommon to hear individuals claim credit for writing the PCI standard (or at least contributing to it) or its predecessors. It is incumbent upon us all, however, to ensure that due diligence is completed, both upon product asserting claims of complete compliance and upon the experts proffering opinions and advice.
That is not to say that there are not companies and individuals that have legitimate expertise to bring to bear on the subject. Many companies, recognizing a legitimate need and opportunity, have invested the time and resource to develop a deep understanding of the
industry and its specific needs. Those true experts can speak not
only to the PCI standard itself, but to its effect on the industry as a whole. They understand the difference between an ISO and a merchant and the way that compliance affects the companies and their customers and partners. A product company that has developed real expertise can tell you specifically how their product can help you achieve compliance, without trying to sell the idea of a “silver bullet.” While the growing crowd of companies participating in the PCI Market can be confusing, it should not be disheartening. The benefit to the growth of the cottage industry has been a significant surge in innovative methods and products designed to enable compliance.
So, the question becomes how to separate the wheat from the chaff.
In much the same way one would investigate a physician and his opinion prior to agreeing to a particular course of treatment, an individual can vet companies and individuals claiming expertise in PCI. Asking probing questions of the company in question can provide
some real insight into the extent of their expertise and experience.
For example, ask them to explain or offer a case study in which they provided a service to a company with either a similar business model or a similar need. If they seem to have trouble articulating a response, you may want to investigate further before investing in their product or services.
Secondly, ask for references. It is not uncommon for customers to ask prospective vendors or service providers for references and the PCI market is no exception. If they have a successful track record, providing references should not be a problem for them. Along that same vein, you can ask others in your position if they have heard of or used the company with which you are talking. Word of mouth is often the most powerful reference. It is important to keep in mind however, that no baseball player ever has a perfect batting average and similarly no company does either. So don’t be alarmed if you hear one story that seems out of line. Look for patterns. If the vast majority of the people with whom you speak have a positive opinion, than you should feel fairly comfortable. If, however, the opposite opinion is predominant, than you may want to think twice about working with the company in question.
One of the most important factors in vetting a company to provide a “PCI compliance tool,” be it a product or a service, is trusting instinct. When speaking with the company’s representatives it is possible to get a good feeling for whether they truly understand the
needs and concerns of the “PCI market.” If an individual can speak
knowledgeably or provide you with literature about the PCI and its requirements, and how their product or service can help you fulfill those obligations that is generally a good sign that the company does have experience in the space. If the individual cannot answer a specific question that is not necessarily indicative of a lack of experience on the part of the company, rather it may be indicative of a willingness to admit that they are not experts on every part of the PCI. That can be an encouraging sign. At the end of the day, though, you must rely on your perception of the company and their experience.
It is obvious that many see the PCI as providing a new market opportunity. It actively moves companies to implement a higher level of security standards. In turn, many vendors have moved into the space in order to capitalize on the compliance obligation. While there have certainly been a number of beneficial developments (increased security innovation by companies in the space, for example), some vendors have entered the PCI Market despite the fact that their products or services only tangentially relate, if at all, to the requirements. It is incumbent upon all companies that need to comply to ensure that they have done their due diligence on these customers to ensure that they truly can enable compliance. Probing questions, industry references and instinct can be put to good use in vetting a company in terms of their ability to help you comply.
It is easy to fall into the trap of addressing security and compliance through the use of technology. That mind set makes the idea of a “silver bullet” very appealing – to both vendors and their
customers. However, technology is only one third of the equation.
You must remember that people and processes are equally important to your compliance posture. Knowing that there are three distinct elements to address makes it apparent that there can be no one solution to compliance.
|
