PCI Avoidance Strategies

Written by Evan Schuman
November 6th, 2008

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

Without a doubt, the most popular strategy for dealing with PCI compliance and data security is avoidance. Not unlike the game of "hot potato," which dates back to the pilgrims, the goal is to find someone who is willing to put up with the hassle of PCI compliance and then give that person all the credit card data.

Whether you call it outsourcing or tokenization, software-as-a-service, virtualization or even, gasp, cloud computing, it’s essentially a "risk avoidance" strategy. However, most of what we see in our research is more avoidance than strategy.

  • PCI 1.2 changes in service provider assessment
    One of the new provisions of PCI 1.2 that has received little attention, compared to its importance, is the requirement that merchants do a due diligence evaluation of service providers prior to engaging them to collect, process or store credit card data. Based on our research, that due diligence typically consists of asking service providers if they are PCI compliant. However, it is almost impossible for service providers to be compliant at the company level. They can provide PCI compliant "environments" and "services" to their customers. But they have so many different customers and so much data, and they may well make extensive use of server virtualization, that it renders some of the PCI requirements unenforceable. For this reason, we believe a best practice is to conduct—or have an objective auditor conduct—an architectural review of any third parties being considered to provide PCI-related services. This will not only satisfy the new PCI 1.2 requirement, it will also help the merchant set up a process for regularly monitoring the PCI compliance and security of card data in the hands of each third party, which is another part of the modified PCI 1.2 requirement.
  • "Where’s my data?" is not a stupid question
    One of the most common problems that retailers encounter when trying to do a PCI self-assessment or work with a QSA to do one is that most merchants simply do not know all the places where their credit card data can "hide." For example, it is very common for large quantities of card data to be "discovered" months after a thorough PCI assessment. And that’s even after creating data flow diagrams and running tools designed to find data that matches a specific set of criteria. The chances are very good that handing off all a merchant’s card data to a service provider is not going to provide any more certainty about where that merchant’s credit card data actually "is," particularly if the service provider should subcontract some of the data storage and management tasks to yet another company—a "fourth party," if you will. The bottom line here is that it is inconsistent with the spirit of the PCI standards and retail industry best practices to adopt a lower standard of "due care" for confidential data that is collected, processed or stored by a service provider. We recommend a detailed risk analysis of the technical and managerial process of payment outsourcing and the use of tokenization, and any other technology or process that is not directly addressed by the PCI standards.
  • Advice for merchants
    When it comes to technologies like tokenization, virtualization and cloud computing, merchants should neither rush to embrace them because they promise risk transference and PCI avoidance nor reject the use of these technologies simply because they are not mentioned by name in the PCI standards. The goal is to develop a common risk analysis methodology that can be used to evaluate any business process change (e.g., outsourcing) or technology change (e.g., virtualization) that is not directly addressed by a specific PCI standard. In addition, each time merchants consider treating credit card data in one way, because of PCI, they need to consider treating ALL their confidential data the same way. If a breach or accidental data loss should occur, then it would be difficult to justify treating confidential data with different levels of due care simply because of industry standards.
    If you have a question about PCI, outsourcing, tokenization, service providers or any other related topic, you can ask the
    PCI Knowledge Base panel of more than 75 PCI experts in our discussion forums. We have one specifically focused on "Ask a QSA" and we’re considering adding one just for PA DSS. Let us know if you think that’s a good idea. Also, if you’re a retailer, we want to get you involved in the PCI Best Practices study we’re doing with the National Retail Federation. It’s 100 percent anonymous. Just send us an E-mail at

  • advertisement

    Comments are closed.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.