Re-Thinking Payment Gateways
Written by Evan SchumanGuest Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.
A surprisingly large number of major retailers today are using inhouse or outsourced payment gateways to reduce the scope of their compliance effort as well as their costs. At some point in the last decade, nearly every organization involved in electronic commerce did an evaluation of payment gateways. So, what’s changed?
The answer is that the PCI requirements have changed some of the math and criteria used to evaluate payment gateways and that means it’s time to revisit some of the decisions that were made prior to the increased focus on merchant and service provider security.
PCI narrows your payment gateway options. Retailers and service providers have made it clear that many of the smaller payment gateway providers simply cannot afford to implement all of the data security requirements of PCI DSS. Rather than find another line of work, some of them are avoiding the issue of security or getting compliant by "working" the system via compensating controls, "easy grader" QSAs and other questionable techniques. This means that merchants who originally viewed the gateway business as a purely price-based decision should re-think their selection of a gateway vendor. I am not saying that you should not shop on price. I am saying that you should substantially narrow the list of vendors from which you choose.
PCI compliance should not be a "checkbox" for gateways. We all know that PCI compliance lends itself to a "checkbox" approach. However, if there is any time when you want to do serious due diligence, it is when you are choosing a company that is going to handle payment processing. On many of the payment gateway Web sites, you can’t even find mention of whether they are compliant.
When I’ve talked to some of these vendors, all I can get from most is "we’re PCI compliant" or "we’re on Visa’s list." But it’s clear that merchants considering these gateways need to focus on the specific "evidence" of compliance, and particularly the use of compensating controls. There is way too much trust being placed in these payment gateways for merchants to simply place "PCI compliance" on a spreadsheet or in a table and plug in "yes" or "no" and move on to the next item.
Maybe you should manage your own payment gateway. Many universities and diversified corporations manage their own payment gateways, and they have found it is a major improvement in reducing the scope of compliance assessments. By managing their gateway inhouse, typically working closely with their bank/card processor, they feel they are keeping control, while reducing both transaction and security management costs.
But there are some major risks with the "do it yourself" approach. In addition to fully owning all liability and breach response management, keeping up with fraud detection requires that the payment gateway owners do more than just achieve PCI compliance. Some of the payment gateways only provide basic Address Verification System (AVS) and Card Code Verification (CCV), so improving fraud detection may require software upgrades to get improved analytics, but the costs can generally be directly justified based on the money saved by reducing chargebacks.
Data security is a feature. Despite all the supposed awareness of PCI and data security in the payment community, we were surprised that when we searched for comparisons of payment gateways, virtually none of them had any focus on the security of the transactions or the overall service being provided. Therefore, it’s hard to fault a merchant who chooses a payment gateway that is less than secure.
One difficult decision is deciding when to outsource payment and security services to third parties. (For those who want to explore further, the PCI Knowledge Base is working with the National Retail Federation on a study of retail PCI best practices and payment is one of the top areas we’re looking at.)
I am concerned that many of the payment gateway vendors choose not to emphasize the security of customer data as a feature. I expect this will change. But, in the meantime, I certainly recommend doing a very thorough review of the specific controls that a prospective payment gateway would apply to your data and being very demanding when it comes to getting the "evidence" of compliance, particularly descriptions of any compensating controls. You’ll be much happier later on, if anything should happen.
Bottom line: If you made your payment gateway decisions (insource vs. outsource; vendor selection) more than three years ago and you didn’t do a thorough analysis of the security being accorded your payment data, then you need to re-think your decision now. If you’d like to argue with me, please send me an E-mail at David.Taylor@KnowPCI.com or visit www.KnowPCI.com and click Register to join the PCI Knowledge Base.
-Marc
June 20th, 2008 at 12:52 pm
I’m not sure if we are the exception to the rule or if we were overlooked in the story but we have always been open to how we protect the merchant’s data — both within our data centers and the technology we install at the merchant location to secure the cardholder data on the merchant’s network. Originally when we were added to the Visa certified provider list we did sell on “we’re on the list.†We were one of the first gateway providers on the list; why not use it as far as it will go? But that advantage didn’t last long. We quickly shifted to informing and demonstrating (sometimes maybe even flaunting) our technology. We view our technology as a distinguishing selling point —- after all and as you point out, anyone can get on the certified list via various means.
I’m sorry David, I read all your stories and most of your points I agree and even the ones I don’t agree with your point I still see your point. But I’m confused here on where you are going with this one. A university example is given to demonstrate a case for insource gateway services but industry reports show universities as one of the riskiest places for cardholder data breaches. I couldn’t decide if this example was an argument for insource gateway services or an example where outsource services should be used.
Maybe my confusion is my own preconditioning. I’m used to stories like “in-house is good; out-sourcing is bad†or visa-versa. Maybe your intent was simply “insource/outsource — you decide,†and like I said, I’m not used to that. While I’m a little confused with this story, keep them coming as your still batting over 900 on my books.
June 20th, 2008 at 2:40 pm
Re: the Gateway piece. The funny thing is: I started out wanting to say something very simple, which is that payment gateways built or contracted for more than a few years ago may not provide the level of data protection that retailers need, simply because most decisions were made back then with data security as a minor consideration, if at all. (Even now, many of the providers do not mention PCI, or security. If they do, it’s treated as a simple checklist.
I believe that whether in-sourced, or out-sourced, retailers need to do much more due diligence of their service provider’s data protection, and not take it for granted, based on “check mark” on a form.
However, I wound up throwing in some other ideas, as you can see. But, as I say, my Bottom Line was meant to be very simple.