78% Merchants don’t know.. and institutions don’t care about PCI DSS.

22% of the major retailers (approximately 290 in the United States) are PCI DSS compliant, and 78% on track to being compliant. This figure, as appropriately highlighted and restated several times on other news sties, is ignorant of the mid-tier merchants and the service providers. These two groups alone represent a far scarier multiple of sources of attacks. Unfortunately, there is still some hub-bub about Merchant CEOs, industry analysts, and certain VISA assessors that feel that the standard is not clear or is not being applied prudently to encourage complete adoption.

The trappings of forming a standard are numerous, and one is the inconsistent policing and monitoring. Anything that isn’t measured is not done, and in the IT Controls world this is no different. At present, assessors are pitching their services to companies that are responsible for meeting the mandates set forth by PCI DSS. Too much the assessors are screaming and shouting FUD (fear uncertainty and doubt) via marketing and sales tactics. This is a terrible means of communicating a standard that was designed to reduce the costs of fraud and injury to the payment card network (both the consumer and the providers). Unfortunately due to a lack of communication throughout the network many of those that should be PCI DSS compliant do not even know what it means. This was found to be true at this year’s Payment Card Industry Conference in Las Vegas, where less than 40% knew what PCI DSS represented. The positive side of this survey showed that the majority, greater than 70%, considered IT Controls & Security to be of paramount importance.

So, we know that the merchant-providers have the desire and will to put in place strong security and protect their clients, but seem to be unaware of the relevant standard of PCI DSS. (Relevant Standard – is an important distinction to how the rest of the world is managing IT Controls, because PCI DSS was made by those in the payment card industry for those in the payment card industry the standard speaks directly to the real risks and threats that exist. This is of course not the case when compared to SOX-COSO, HIPAA-it’s own arbitrary standard, ITIL- for everything else in the world.) The break in communication is not with the card companies (VISA, MASTERCARD, AMEX, etc…), as they have dedicated portions of the website, teams, training, roadshows, web casts, blogs, analysts, and a number of media outlets that are being paid to publish articles on this standard.

The break in communication is simply an economic one once we consider how liability and fines. If a break occurs at X merchant, VISA and Company will each issue fines. Their fines however are not to the merchant, but in fact are (this is an example and not absolute and there will certainly be variations) placed upon the institution that handles or issued that Merchants cards. It is up to the institution to then pass along the fine to the merchant. Now the institution is in quite the position – pass the fine along and risk losing their business at renewal, or absorb the fine as a cost of doing business with the merchant. This depends on the volume of business occurring from Merchant X. So, big merchants don’t pay fines? More importantly, if the institution feels there is greater value in absorbing the cost as part of business, was this risk calculation done for mid-tier merchants? Those that could not absorb such a fine without going out of business?

In reality – the institutions have the responsibility and know the merchants-providers that need to comply with PCI DSS. Unfortunately, it is contrary to the institutions business to fine or trouble their clients with fines that are not always delivered. In an interview a VISA spokesperson states that they had not issued as many fines as should have been – this is clearly true since 78% have not been compliant, and should be fined as much as a year and a half ago.

A bit of a rant, but looking into the confusion one can only imagine the state of those who are trying to commit change in their organization to meet PCI DSS and realize the amount of resistance they are hitting against.


20 responses to “78% Merchants don’t know.. and institutions don’t care about PCI DSS.

  1. So, the question is who wants to start a class action? VISA and Mastercard through inaction are leaving themself open to a wide liability.

    Merchants are locked into using the cards. If PCI can not be mandated through the card issuers, than there is little hope for the end user.

    This is a lack of due care pure and simple.


  2. This may sound like a silly question, but what is “PCI DSS” ? You article goes on and on about it, but fails to define it. What does a company have to do in order to meet this requirement?

  3. Joseph,

    PCI DSS = Payment Card Industry Data Security Standard. Quite simply, any organization that stores, processes, or transmits cardholder data (credit card number + CVV / pin) must be compliant. The best way to see if your organization is required to meet this standard is to visit either Mastercard or VISA’s site (www.visa.com/cisp)



  4. Craig,

    You raise a good point and something that over the past several months has come under greater scrutiny. While VISA and the other card companies are pinned to the wall it is really the banks that are stonewalling and allowing some of these communications to become broken down. An analogy might be to the investment bankers telling research analysts what to say… there is a bit of conflict of interest. How can you expect an organization to penalize a client who can easily move their business to the another bank… the answer is simple = all require and enforce the same standards. This unison is occurring to a large extent and the effects should trickle down.

    Thank you for the comments – dead on!


  5. One of the big problems here is a lack of communication from the card processors. As a merchant, I am supposed to conduct a self-survey on my business, however, the only reason I know this is because I read the documentation from VISA. At no point did my card processor or his representative ever tell me I had to do this. In an informal survey of other business owners that accept credit cards, 100% had never heard of this requirement, and needless to say, never performed the survey.

    Every week I see merchant terminals that fail to comply with the new PCI guidelines. The only merchant I’ve seen that attempts to address this is Hooters.

    VISA needs to push communication of the standard and get their merchants in line. This is not a merchant issue – the problem lies with those who dictate the standards and do nothing to let people know about them.

  6. If a merchants is deemed to be making a valid efforts to PCI compliance and there is a breach, what will the merchants be breaching ? PCI council literature only indicates that issuers are up for fine of $500,000 per breach (I assume once the issuing bank gets fined they will be after the merchants for fine+other expenses). The is, is the merchants breaching privacy of information or another law? One has to remember the standards are international but the laws are different in each country. Then theses the issue of proving the breach come from that particular merchant.

    I’m wondering what the legal exposure for merchant is ?

  7. Heop you’ll excuse the slight digression, but I saw Joseph’s post and thought this presentation I recently put together might be useful to him and others just getting to grips with PCI: http://pci.evolve-online.com/about-pci.asp

    Old hat to many here, no doubt, but hopefully of interest to those new to the PCI DSS.

  8. When I looked at what it takes to qualify as a scanning vendor, I could not help but think Visa et al are making a profit from charging so much to qualify as a testing organization. As to the checklist requirements themselves, I find it to be a pretty good checklist, PCI or not. But I also find it to be a VERY expensive implementaion if you do it all, both in terms of hardware/software and in labor hours, especially to maintain the services required. I doubt very many companies really do ALL that is in the checklist or will ever.

  9. We at NIIT Technologies – is offering a special service to assess vulnerability and security of merchant systems, test if they comply with PCI DSS requirements, and offer ongoing status and analysis reports for level 1 to level 5 incidents. NIIT consultants will also offer specific recommendations on remedial actions in their systems, networks and applications.

    The assessment service covers:

    • Performance and Availability
    • Security
    • Configuration management and vulnerability
    • Operational change control

    It is a composite service which does not include capital invetsments by the merchants. Please get in touch with me at my email id for further information.

  10. I am part of an MBA marketing research team at Pepperdine University. We are researching PCI-DSS standards. If you have a couple of minutes we’d appreciate your help with our survey!


  11. Thanks for sharing this information. Really is pack with new knowledge. Keep them coming.

  12. Once again confusion reaigns. BoA sent a letter to it’s merchants stating that PCI DSS prohibits you from storing credit card numbers, which it (PCI) does not. You must have controls in place. An email to BoA asking for clarification was never answered.

  13. Lucky to find you, keep on the good workk guys! Best of luck.

  14. Merchants – please keep in mind there are 4 levels of Merchans that PCI Security Standards Council has defined based on credit card volume and, in some aspect, brick and mortar vs. online store front. Those that are Level 3 and Level 4 (the smallest merchants), are required to perform self-assessments only, and the timing of these self-assessments is based on your institution who processes your credit cards. Credit card processors have their own timetable to mandate your self reported compliance unless you have experienced a breech. If you really do not want to become compliant, you can always search for those institutions who have not yet felt the urge to force level 3 and level 4 merchants to go through these process.

  15. Tim,

    I think you raise a good point that merchants must be aware of what is expected of them, how they need to provide validation, and the necessity of a cognitive effort in assessing the business benefits/risks of accepting and processing credit cards. I strongly agree and encourage all businesses to evaluate they business processes and determine if outsourcing, insourcing, or finding a balance is ideal for their business.

    I question, however, the (beyond moral and ethical conflicts) idea of shopping for institutions that do not enforce the standards. To clarify – if a business processes credit cards they need to be compliant – the SAQ, ASV, QSA, etc… are only means of validation. Regardless of the imperative and reasons to respond to these completely, there is a stronger concern – fraud (for the business and the liable consumers).

    Other thoughts… counterpoints… areas where I may be misinterpreting?


  16. Maybe the reason they don’t care is because customer also don’t care. Actually the customer don’t know about such thing, so they don’t care about it.

  17. – In murky water the Tiger Shark is most successful. –

    I completely agree that many that Merchants are at risk due to their processors not properly educating them. I believe they are afraid of losing customer base if they “enforce” the PCI-DSS. Also, in another PCI related blog I read a report by Forrester Reasearch that indicated a “high end” breach cost of $305.00 total per record. I think these costs are vastly understated and here’s why:

    The Business side always seems to be covered in calculations, but what I seldom if ever see in the research is the personal suffering, anguish and humiliation the employees and their families who will most likely be laid off or downsized post- breach. In many cases the loss of reputation, consumer confidence and ultimately loss of business in today’s tough economy is more than enough to be viewed as a lethal injection for that organization.

    Although, there are many QSA Qualified Security Assessor organizations out there in the world some have been mentioned, In North America Datassurant Inc. is ideally suited and is a really good choice for this type of work because and keep highly trained security professionals (many of which are certified White Hat hackers) on staff. In South America Modulo would be an excellent choice.

    What’s even more interesting, based on those numbers $100.00 vs. $90.00 it appears that Company A credit card records “street value” are more valuable to hackers then they are to Company A itself. This doesn’t seem to add up in my mind.

    What keeps me up at night? I wonder how many more breaches consumers will need to endure and how many lives will be ruined, how much post-breach triage we will need to perform before the Government hears the people and steps in, much in the same way as SOX?

  18. This website is Great! I will recommend you to all my friends. I found so much useful things here. Thank you.m

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s