Most Retailers Are Not Yet Ready To Outsource PCI

Written by Evan Schuman
July 10th, 2008

Guest Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

Outsourcing is considered the thing to do these days, like a summer barbecue. But it’s both easier and more complex than most merchants think.

The first move has to be to take a serious look at your data. Think of it like a residential move. How much of that accumulated stuff do you really need anymore? How much are you honestly going to be leveraging and using? The less you keep, the less you have to protect and manage. And the less you keep, the easier it will be to outsource.

Even if you triage your data and keep only a small amount, don’t get too trusting. Outsourcing can be a great way to get Visa and others off your back, but if you remove the data from your system and give it to someone else, you can’t just pretend that it’s being protected.

Let’s be bold about this: Payment outsourcing will be the top trend among retailers and other merchants in 2009 and 2010, in terms of adoption, spending levels and impact on how these merchants manage their payment process.

We’ve conducted over 160 hours of interviews for the PCI Knowledge Base, and many of these interviews have been conducted with retailers. Although outsourcing is rare among the largest merchants, it’s becoming very popular among SMEs. In terms of making PCI scalable, it’s becoming pretty obvious that the only way to get the bulk of the retail community to be PCI compliant is if they outsource payment processing to third parties.

The leading edge of this trend is in higher education. Most major universities have managed to get their on-campus Level 4 merchants to be compliant by relying on a (primarily) outsourced payment gateway service and removing all card data from university applications, files and databases. Most have managed to complete this process in less than 12 months. In fact, I would wager that no place on the planet has as large concentrations of PCI-compliant Level 4 merchants as can be found on the campuses of American universities.

The key to this is the willingness to outsource the process and working with the campus merchants and departments to convince them to live without the card data. Retailers tell me every day that they simply cannot outsource payment processing entirely, because the data is built into too many applications and business processes. On the other hand, the largest retailers are telling me that their average spending on PCI in year one is well north of $1 million, heading for $2 million. That’s enough incentive to take a hard look at outsourcing (particularly if you haven’t yet spent the $2 million, because you’re hoping PCI will go away or magically become easier).

But wait! Isn’t payment outsourcing bizarrely expensive? The answer is "yes" in some cases, and getting that monthly bill for having someone else do something that you already have staff in place to do is the other half of the "push me pull you" argument. It’s all in how PCI is paid for and who is running it. If PCI is being run out of the IT department as a "security project," then the issue of outsourcing may never even be discussed. But if it’s being run out of the CFO’s office under a Compliance Office or Internal Audit, then outsourcing should be on the agenda for a meeting this year, because the CFO is in the best position to weigh the pros and cons of the issue.

Why should you trust a service provider more than your own people? You shouldn’t. In fact, the real downside of outsourcing is the "out of sight, out of mind" problem. Probably 90 percent of the merchants have no due diligence process in place with their service providers to make sure that, day-by-day, their data is being protected as well, or better, than if they themselves were doing the job. Without regular reporting and inspection, the risk of payment outsourcing is actually pretty high. To win business, payment service providers will have to focus more on what I’d call "continuous compliance reporting," so that retailers won’t have to wonder what’s going on with all that data they entrusted to the service provider.

Are service providers fully PCI compliant? This question is tough, and worth asking each and every service provider you deal with. Most service providers are not capable of being PCI compliant "as a company" because of how data for multiple customers is stored together on servers, how access is managed, etc. However, service providers can (and do) provide a "PCI-compliant environment" for Customer X or Customer Y, which has proven to be acceptable to the card brands, acquirers and QSAs.

The bottom line is that retailers must recognize that they still cannot outsource liability, and they must take more responsibility for service provider due diligence, whether they fully outsource payment processing or not. By the way, it’s worth noting that being an IT or payment service provider is probably the most difficult task in all of PCI Land, because of the "converging compliance conundrum," but we’ll address that in a future column.

If you’re a retailer, we want to get you involved in the best practices study we’re doing for the National Retail Federation. If you’d like to participate, send me an E-mail at


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.