A Grade-A, Top Primo Example Of Misleading PCI Vendor Claims

Written by Evan Schuman
August 24th, 2011

People who work in the marketing departments of security vendors have it hard. They need to make routine situations—like having an app declared PCI compliant—sound impressive. It’s like a politician with a big sign outside his office proclaiming: “Haven’t been indicted yet this year.”

This forces the vendor to get creative (a nice word for “misleading”) to trumpet that which is quite ordinary. We see this so often that it’s hardly worth mentioning. But every once in a while we see someone push the BS envelope so far that it pretty much requires a mention. A vendor named Transaction Wireless provided us such a reach on Tuesday (Aug. 23).

PCI compliance doesn’t come in grades and is a very clean pass-fail situation. That’s why the vendor’s headline caught our eyes: “Transaction Wireless First Cloud-Based Digital Giftcard Platform to Earn Highest PCI Level 1 Certification.”

That is a truly delightful piece of sleight of hand. Other than saying “certification” rather than “compliance,”—see PCI Columnist Walt Conway’s classic primer on how to use PCI terms as well as a QSA native—Transaction Wireless’ headline is literally correct. But it suggests that the vendor has something above and beyond, which is not the case. Level 1, of course, refers the number of card transactions. That Level 1 category was dictated long before the vendor even started its compliance assessment, so it doesn’t get to take any bows.

Level 1 is indeed the most stringent, but that fact impacts everyone. It’s like a high school senior touting his pass/fail performance to a college admissions officer: “My score of ‘Pass’ was for a class in Grade 12, which is the highest and most difficult level of testing available in any high school in the country.” The difference? College admissions officers are experts on how high school grades work, while Transaction Wireless seems to be focusing on retailers who don’t understand PCI well enough.

The statement quoted CEO Doug Schneider as saying: “While strong security processes have always formed a major cornerstone of our offering, we felt it was important to earn the highest official third-party certification.” From a PCI perspective, there is no meaningful “highest official third-party certification.” Put another way, the vendor had no choice. Size wouldn’t have permitted Transaction Wireless to have sought anything else. From a PCI nitpick perspective, QSAs do not certify; they assess.

From an editing nitpick perspective, the sentence is structured as though the second part conflicts with the first (as in “While profits are very important to our business, this charitable effort merited an exception”), but the two parts of the sentence actually agree. For even more of an editing nitpick, Transaction Wireless didn’t mean “while.” It meant “although.”

On the plus side, there’s no reason to doubt that this vendor is now PCI compliant. Had it simply said that—without suggesting its compliance was somehow different from its rivals—there would be no issue. But little by little statements such as this make it more difficult for retailers to make legitimate comparisons between vendors on security matters. These days, that’s essential to do. Legal Note: This column has been assessed as the Level-1 Grade-A of all stories we’re running this week featuring PCI definitions and cranky editing gripes. (Hey, if you can’t beat ’em…)


3 Comments | Read A Grade-A, Top Primo Example Of Misleading PCI Vendor Claims

  1. Ali Says:

    it seems good writing is dead in the PR industry.

  2. Mark Says:

    PCI compliance is currently applied to payment cards like credit and debit, but most gift card systems ingore it entirely. As a result, you occasionally see thieves/hackers hack gift card systems and rack up illegitimate purchases. It is not a big deal, but encrypting this data seems like a good idea.

  3. Evan Schuman Says:

    Editor’s Note: We agree. As said in the story, the compliance part was good. It was the misleading characterization of Level One that was the point of the story.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.