Banks and retailers – not necessarily working together
Discuss the Payment Card Industry Data Security Standard and you will run into a fair amount of division. Its supporters (the banks) rightly state that the standard helps prevent credit card fraud through increased controls around data and its potential for compromise. Its detractors (many retailers) argue that it is little more than an MOT that costs money yet delivers no value.
Compliance validation can be external or internal, depending on the volume of card transactions the retailer handles. Retailers with large transaction volumes must have their compliance assessed by an independent Qualified Security Assessor (QSA), while those handling smaller volumes have the alternative of self-certification using a Self-Assessment Questionnaire (SAQ).
Huw Thomas, COO of retail systems experts PMC, believes that although the principle behind the PCI standard is correct, its execution, especially during a recession, leaves something to be desired.
Thomas states: “PCI raises high emotions, principally because of the fines levelled for non-compliance. These fines force retailers to spend large amounts of cash for no business benefit. Of course, the counter argument is compliance ensures retailers won’t lose card data so they gain a business benefit. But who’s to say that without compliance retailers will lose card data?”
“Most retailers create a secure card environment. It’s manifestly in their interest and their customers’ perception of their brand to ensure that card data is secure. However, if that security is not assessed as PCI compliant does that mean a fine should result? Surely, there should be a fine for a data breach not for non-compliance. After all, PCI compliance is not law it’s a requirement from the banks – but it’s about as valid as an MOT – good on the day it’s issued but almost meaningless after that.”
Retailers can take legitimate steps within the PCI framework to safeguard their data especially as the requirements are clear. There’s a technology element that states all data must be encrypted, then there are further elements involving key points such as infrastructure, passwords and data housing.
Thomas continues: “Improving compliance standards is fine. However, there’s a difference between sensible effective business controls to reduce risk and improve customer security, and meeting standards across your entire technology infrastructure to avoid unwarranted fines.”
“There are retailers that spend tens (if not hundreds) of thousands pounds meeting compliance yet not a single pound of that spend adds anything to the business. In a recession when you’re struggling to keep profits at a sensible level do you want to spend money on something that adds nothing? Yet the fear of fines means that spend continues.”
Like the MOT, compliance is temporary. It only guarantees a standard at a single point in time, which in theory, becomes invalid when the situation changes. What happens when people move on or there’s a software update or a bug fix? Consider a retailer that’s assessed as PCI compliant. They have filled in the forms, had an independent QSA assessment and ticked all the boxes. Then a key person in the data centre leaves and a new person joins. What do they do, deny the replacement access to the computer room?
Thomas states: “Some retailers have set up enormous, bureaucratic, expensive change-control processes to review every change they make, no matter how small. That’s because they have an army of people looking at the potential implication on their PCI compliance – all costing money for no return. Retailers want to secure card data to preserve their brand integrity. Probably all retailers support the principle of fines for losing customer data however receiving fines for non compliance against a standard in a continual state of change is unjustified.”
For example, VISA has written to many retailers threatening them with fines for non-compliance. These fines, if implemented, will continue on a rolling basis until compliance is achieved.
Thomas thinks this is unfair. “With insurance you get something back, that’s the difference with PCI enforcement, there are no returns for retailers. The standard should encourage retailers to look after their own business environment. Which retailers would fail to do that? For them the big issue is brand damage. Retailers will do everything they can to protect that rather than having to jump over hurdles, and pay money for the benefit of getting over the hurdle.”
Thomas closes: “And it’s going to change again with the introduction of PA DSS V1.2. Retailers that are spending money meeting current compliance standards have to get ready for a higher hurdle to jump over. I have heard that the fines for non-compliance against this standard are likely to be increased merchant acquiring fees.”
“The banks should change the model. When retailers become compliant banks should give them a discount on their acquiring fee and only fine them if there’s a breach. That way the retailer gets something for their money. Will any bank take that approach I wonder?”
For further information please contact enquiries@paulmasonconsulting.co.uk |
|
|
|
|
|
Wyevale needed to develop an EPOS system to both meet its current retailing demands and its future growth. They asked retail systems experts, PMC to manage the new EPOS selection process, and Wyevale selected Retail-J.
Keep reading ... |
|
