Retailers Need To Protect Themselves From Lying Vendors
Written by Walter ConwayA 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
I am not a fan of boxing, but I seem to remember that just before the start of a fight the referee tells each boxer to “remember to protect yourself at all times.” I am starting to think that merchants need to take this advice when dealing with some payment system and application vendors.
If you don’t protect yourself at all times, you could end up paying a lot more in both money and time to become PCI compliant. With the Visa mandate on PA-DSS applications in full effect, it may be time for retailers to break out their boxing gloves.
A retail CIO’s life is complicated enough without having to deal with the few application vendors and service providers that lie. I’m not talking about the usual marketing hype or stretching the truth about how easy it is to install some software package. Rather, I’m talking about misrepresenting the impact of a vendor’s product or service on a retailer’s PCI compliance.
Regardless of the chain’s size–from a large retailer with lots of localized decision-making to a franchisor with franchisee-owned stores to even a midsize merchant without a large IT staff–this situation affects you.
I guess I could be diplomatic and say these vendors just don’t understand what PCI requires, but it is a bit late for that. PCI has been in effect for several years, so ignorance is no longer an excuse. That train has left the station. Any vendor that can’t properly describe how its application or service will impact a merchant’s PCI scope or compliance is–in this QSA’s opinion–simply not telling the truth.
Were the vendors genuinely ignorant of PCI? I do not know where stupidity ends and lying begins. But in my mind, such vendors misrepresent their products to their customers, and the customers are now paying the price.
To be fair, we need to remember that the lies may have two sources. It’s not necessarily the case that the vendor representatives in your office are lying about PCI. They may be honestly telling you what their company told them to say or what they read in a talking points memo. Instead, it may be their bosses who have lied.
On the other hand, you may have the opposite situation, where the vendor is being truthful but the reps have chosen to be stingy with the truth. Whether or not they know what they are saying is a lie is irrelevant to my point. You need to understand what PCI requires. The days of blindly trusting a specialized vendor for trusted counsel are, sadly, gone.
Here are some situations I have seen recently:
As far as I know, nothing in the world of PCI is “certified.” Payment applications may be validated, PIN encryption devices may be approved and service providers may be assessed or compliant, but nothing is certified. Maybe the vendor in this case is certifiable, but that is a separate discussion.
The problem is that the retailer is left to pay the price in terms of increased risk, expanded PCI scope and possibly higher cost to become compliant.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
