StorefrontBacktalk

This is page 2 of:

PCI Playing Mobile Limbo

March 23rd, 2011

The PCI-DSS model imposes contractual obligations on merchants to meet a series of policy, procedural, technical and administrative security standards wrapped around the protection of cardholder data. The primary goal of all of these contractual requirements is to ensure that card data—principally card number, cardholder information and validation information—that could be used to facilitate either identity theft or credit card fraud remains confidential.

The security standards, if followed, have other laudatory consequences: they promote consumer acceptance of the payment card industry; they protect the reputation of the merchant; they protect the confidentiality of transaction information (what the consumer purchased); and they promote the integrity and availability of the payment card system (and those networks that make up or are attached to it). These rules are frequently perceived by merchants to be regulations, but they are, in fact, nothing more than a contractual obligation between the merchant and its acquiring bank—albeit a contract that does not allow for negotiation.

What the PCI-DSS rules do not do, or do not do very well, is to promote the adoption of new cutting-edge technologies. The rules are designed for what we know, and what we already do—a standalone or networked POS terminal in a brick-and-mortar store or attached to a Web-based online purchasing system that is connected to a conventional network. The problem for early adopters of new, innovative and potentially game-changing technologies is not that these technologies are not secure (they may be, they may not be). The problem is that they have not been assessed or evaluated for security. Thus, early adopters are proceeding on a high-wire, without the net that PCI compliance may provide.

Let’s say you adopt one of these new mobile payment technologies and the technology has met the standards for PCI compliance. You invest heavily in the technology, its deployment, security, testing, training, integration, marketing, etc. Everything is up and running well, and you are at the leading edge. Competitors are drooling as your sales increase, costs decline and efficiencies increase. Indeed, because you have invested heavily in testing the new technology, you are convinced that it is secure—well, at least as secure as the technology it replaced.

But now you learn that the PCI Council has withdrawn approval of the new technology. Or at least given notice that, some time in the future, it intends to withdraw such approval. Usually these things take at least six months to a year. What do you do?

Do you immediately cease all operations, rip the wiring out and take a huge loss (oh, and fire the engineer whose bright idea it was to adopt the new technology)? Do you circle the wagons, get the lawyers involved and fight the PCI Council tooth and nail to reverse its decision? Most importantly, do you continue to use the technology that is, shall we say, marginally approved in the interim?

Posted in IT Strategy/Industry, Mobile/Wireless/Contactless, Payment Systems, Security/Fraud

Comments are closed.

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.