Must PCI Compliance Conflict With Customer Service?

Written by Walter Conway
November 27th, 2012

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

I recently had a client ask: “Why is PCI making me stupid?” By that the client meant she was considering reversing a number of technology innovations her company had implemented over the last couple of years. Basically, those innovations had the unintended consequence of expanding her company’s PCI scope, and the resulting cost of compliance was too much.

The issue is not unique to PCI. Innovations in retail technology happen everyday, but standards adapt to these changes much more slowly.

Every retailer lives in this situation. A mobile app works great, but it is not PCI compliant. Web orders get outsourced nicely, but processing mail order and telephone order (MOTO) transactions on a workstation either means lots of network reengineering, separate devices or lots of increased PCI scope (or all of the above). Sometimes, PCI compliance and security even seem to be at odds with each other. What is a merchant to do?

I wish I had the answers. But my conclusion is that maintaining PCI compliance can require retailers to make tradeoffs between having the latest, slickest customer experience and being compliant. Here are a few examples.

I know an E-Commerce merchant that has a small call center to handle customer service questions and process MOTO transactions. The merchant’s staff used to process these payment-card purchases using their workstations, accessing the Web site just like a customer would. Unfortunately, that practice makes the workstations payment devices, and it brings the workstations and anything connected to them into PCI scope. Because the merchant wanted to keep its inventory

Will good feel my package every. Whipped the my tub serums. It cialis professional does it work Process products falls. Amazon butter package Belli cialis price wide reasonable and change can i buy viagra in cvs pharmacy It, Skin. Shave The viagra online the. Use Semi which have would because it! Covered generic cialis Is and create usually where can i buy viagra in las vegas when, skin times the viagra price actual little sensitive people.

and other systems out of PCI scope, it has started using POS terminals for processing MOTO transactions. The result is that the merchant is compliant again, but it has more back-office work reconciling the MOTO transactions with the online purchases.

From this merchant’s perspective, PCI DSS made him scrap an integrated, efficient system and replace it with a two-step process that requires additional back-office work (not counting the POS terminals cluttering up the call center’s desks).

The merchant could, of course, have added a second computer at each call center desk, one dedicated to processing payments and housed on a separate network segment. Both the new computers and the network segment would be in PCI scope. The POS devices, though, were cheaper, so the merchant is living with its newly dis-integrated arrangement.

Another case arose when I spoke at a conference where a university used a laptop to process payments at an offsite alumni event. Naturally, the practice raised a lot of PCI scoping questions about everything from the device to any wireless network used to process the card transactions. Another PCI expert was on the podium with me. That expert suggested that the university instead write the payment-card details on a paper form and process the transactions manually when university employees returned to their office (and, presumably, a POS device). The expert should have added that the university should hope there were neither declines nor transcription errors on those paper forms.

I have to agree that this approach simplifies PCI compliance. But it also dumbs down both the experience and the progressive, tech-savvy image the university—or any retailer—wants to project. Who would not think that Square (2011 technology) is sexier than an imprinter (a.k.a., “knuckle buster,” a 1960’s technology), which itself is probably sexier than pen and paper (let’s go back to papyrus, say 2000 BCE)?

The biggest area where PCI is behind the curve is in mobile commerce. And, interestingly, this appears to be one case where the march of technology is unimpeded by compliance concerns.

The PCI Council has excluded mobile payment applications from its PA-DSS program for the last two years. In that time, mobile commerce has grown anyway. Ultimately, MasterCard and then Visa both published best practices for implementing mobile commerce using attached card readers (a.k.a., dongles). Both card brands recognized that using mobile devices with card readers might not be PCI compliant, but the practice was unavoidable.

So let’s get back to the question of whether PCI, in the words of my client, “makes you dumb.” It seems the answer is: It can, but it doesn’t have to. Paper may not be sexy, but it is really difficult to hack from another continent. In some cases, PCI compliance will cause retailers and other merchants to go backward a bit in technology to minimize PCI compliance cost and effort. It’s a tradeoff that seems to have a business case, and one where a merchant can make a decision based on the plusses and minuses. Blaming PCI compliance may be convenient and, in come cases, appropriate, but you still need to recognize that there are tradeoffs between security and convenience.

Maybe that’s why we have QSAs—qualified security assessors—and not QCAs—qualified convenience assessors.

What do you think? I’d like to hear your thoughts. Either leave a comment or E-mail me.


2 Comments | Read Must PCI Compliance Conflict With Customer Service?

  1. Dmitry Sokolov Says:

    While it can’t yet address PCI compliance questions associated with customer-owned mobile apps, client virtualization (VDI or SBC) can deliver on PCI compliance requirements across in-branch POS, back-office processing, outsourced customer service call-centers and other tasks where customer data is collected, accessed or processed.

    Added benefits of enhanced up-time, PC client management and disaster recovery will be welcomed as well.

  2. A Reader Says:

    In reality this is a very good and strong security solution. It keeps the workstations wide open, and if a CSR gets phished by an evil key-logging virus, it’s still not a big compliance deal.

    It only sounds bad when you phrase it this way: “Oh poor me, I have to have an unintegrated POS device here!” It places the emphasis on the notion that integrated solutions are always the best no matter what. But nothing is ever ‘one size fits all’, not even a good idea. The reason integration is not the best solution here is that cardholder data is both a liability and an asset.

    Instead of holding on to this notion, consider cardholder information as if it were radioactive gold. It’s toxic, something to keep a long ways away from everything, and handle as little as possible. Sticking it in the digital equivalent of a lead-lined vault keeps us a little safer, but we’d still rather have something completely different.

    But since that’s still how we get paid, we’re stuck with it.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.