Have PCI, Will Travel

Written by Evan Schuman
September 24th, 2008

Guestview Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

Get out your "traveling pants," because you’re going to have to start visiting any company to which you entrust credit card data.

According to a summary of the forthcoming PCI 1.2 standard publicly released by the PCI Standards Committee a few weeks ago, if you use third parties to collect, process or store confidential data for you, then you need to do more than simply get a letter from them once a year that says they are doing right by your data, they’re PCI compliant or what have you.

Merchants cannot just outsource the handling of confidential data to the lowest bidder and assume that all is well for the 364 days from one PCI assessment to the next. The real questions are, can merchants afford these visits and are there any ways to accomplish this task that are less obtrusive than the phrase "vendor visitation program" implies?

Why you should be "your brother’s keeper." We’ve talked to many merchants who say they are having enough problems just managing their own security and compliance, so the very idea that they need to take on the problem of verifying that their business partners are secure/compliant is simply beyond their current capabilities.

However, over the last 25 years, a giant spider web of service providers has emerged, complete with extensive sub-contracting of software development and data management. In fact, it is extremely likely that the typical retailer has no idea where its data (including credit card data, customer and employee PII) is actually being kept, because their contractual visibility only goes "one layer deep."

Retailers know which company they contracted with, but they don’t know with whom their service providers contracted. I would say it’s a "rat’s nest" but I already said "spider web," so you get the idea.

BITS started the party, but PCI brought the "hard stuff." The whole idea of making sure that service providers are properly protecting data has been well codified by BITS, the Financial Services Roundtable ( as part of the security criteria that the group developed for financial institutions to use when evaluating their service providers.

Although their criteria are excellent, the PCI assessment process is more formalized, because it uses an independent assessment process (the QSAs). The additional rigor of the PCI process has resulted in some service providers whose customers, including retailers and financial services firms (e.g., call centers, software development, data center collocation), are both on the receiving end of voluminous, highly customized questionnaires that combine BITS and PCI as well as receiving many more visits from their own customers.

Typically, only the largest retailers have vendor visitation programs today. But if the PCI 1.2 changes play out the way we’re expecting, the number of visits to service providers will increase several fold. But it turns out that all this traveling gets expensive, what with gas prices and all. So, we’re expecting changes in the market.

Enter the "we’ll visit your service providers" service providers. Why should merchants visit their service providers when they can just hire another service provider to do it for them? Yep, this is actually a real business—a real business that’s likely to get a lot bigger over the next two years.

Of course, the service can’t be just visiting the service providers. These businesses will have to "amp it up" and do more full-blown assessments. That’s how these service providers will differentiate on the high end. On the low end, the focus will be getting more service providers "checked off" for less money. But the risk, of course, will fall to the retailer.

To minimize the risk, the best plan is to adhere closely to the PCI standards but to not limit their application to cardholder data. After all, most merchants have tons of data entrusted to third parties. It would be a shame to have a vendor visit/assessment program that only focuses on protecting one type of data. So whether you visit your service providers yourself or hire someone to do it for you, it’s important that you not only follow the standards but develop a "holistic" plan that investigates the protection of all confidential data.

This comprehensive or holistic approach for investigating and managing third-party security is one of the PCI Best Practices that we at the PCI Knowledge Base developed for the National Retail Federation. If you’re a retailer, we want to get you involved in the best practices study too. It’s 100 percent anonymous. Just send us an E-mail at


One Comment | Read Have PCI, Will Travel

  1. J.D. Oder II Says:

    I am concerned about the sentiment of this. If taken to its logical conclusion, this would state that all of the work that we have all done to get PCI-DSS to this point was absolutely meaningless. If a merchant cannot rely on the findings of Service Provider’s independent Qualified Security Assessment firm to perform an onsite assessment then we cannot rely on the payment system at all.

    In the last PCI-SSC meeting, there were rumblings of what Mr. Taylor said, but no clear cut guidance was given. It was more like, you might want to do “this” or you might want to do “that”, but it was far from dictatorial. What was made clear is that the PCI-SSC has strengthened their requirements by adding a much more concise QA process for all future validations which will help.

    As a employee of a Level 1 Service Provider and Registered Agent of the card brands, I can tell you that the review process is far greater than even that of your largest level 1 merchants, a SAS70/2 audit, etc.

    Now I can understand Mr. Taylor’s belief, if the third-party holding one’s data is small and untried, and has received a “phone” assessment. However since it is a requirement to be PCI-DSS compliant, then I believe that a copy the Service Provider’s CORA, and/or ROV’s for any PABP/PA-DSS software components, and an understanding of that company’s financial stability should suffice for due diligence.

    Once the data is removed from the local POS systems running at merchant locations, then, and only then, should we turn our attention to the Service Provider community. We of course should require rigorous PCI-DSS validation of all of those third-parties, but we need to stop the bleeding of transactions into the wild from merchants first. Many Level 4 merchants simply cannot afford and honestly do not care about the IT requirements in order to make themselves compliant, but the industry as a whole has an obligation to protect the merchants and secure the money system. This is especially important in this current economy.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.