This is page 2 of:
Enterprise Encryption Meets Corporate Reality
For merchants, this is another area where it’s time to consider making some difficult architectural choices. Data security and PCI compliance have driven millions of dollars in spending at the POS for a lot of retailers. Increased centralization and use of virtual terminals would seem to make sense for many more companies than currently use the technology. If nothing else, I am suggesting it’s worth discussing the option because it may potentially reduce the impact of PCI DSS on the POS in the future.
Most merchants would be thrilled to get rid of PCI compliance tasks. Because it seems unlikely that the standards will simply “go way,” the next best option is outsourcing compliance management. Comparatively simple tasks such as IP address scanning were designed to be implemented as services (from Approved Scanning Vendors) from the start.
But the advent of end-to-end encryption and tokenization have raised the prospect of actually outsourcing the vast majority of PCI compliance tasks by having payment processors and payment gateways actually control most of the process from the initial card data collection. That is, at the POS, online shopping cart or call center software via remote key management and transaction tracking through the use of tokens.
Yes, there are (and will continue to be) issues with how this process works and the extent to which these approaches really “remove” merchant systems from PCI scope. But that’s not my point. My point is that by truly “outsourcing” PCI compliance, are you also reducing your ability to really understand and measure your risks (of, say, a security breach) and is that what you want?
Enterprise risk management (ERM) models have several variables connected to technology-related risk, security breach risk, etc. The potential financial impact of these factors is often in the tens of millions of dollars.
What is really interesting about this point is that the PCI DSS mandates have caused what appears to be a fundamental shift in the willingness of even large organizations with extensive, well-trained IT teams to consider IT security outsourcing to an extent that I’ve not seen before. I’m not suggesting this is right or wrong, just that our research is showing a much greater willingness to consider “security as a service” and “compliance as a service” at levels beyond what we would have expected only a year ago.
I figure that as long as these merchants have considered how they will bake this into their ERM models, it’s fine. I just suspect that for many merchants, this discussion hasn’t happened yet–and it needs to.
Each of the three decisions/issues highlighted in this column are worth millions, especially to larger merchants. For this reason, I’m really interested in what you think and where your organization stands on these points. As always, if you’d like to discuss this topic, visit the PCI Knowledge Base and fill out our “Contact us” form or send me an E-Mail at David.Taylor@KnowPCI.com.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
