Re-Thinking Payment Gateways

Written by Evan Schuman
June 19th, 2008

Guest Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

A surprisingly large number of major retailers today are using inhouse or outsourced payment gateways to reduce the scope of their compliance effort as well as their costs. At some point in the last decade, nearly every organization involved in electronic commerce did an evaluation of payment gateways. So, what’s changed?

The answer is that the PCI requirements have changed some of the math and criteria used to evaluate payment gateways and that means it’s time to revisit some of the decisions that were made prior to the increased focus on merchant and service provider security.

PCI narrows your payment gateway options. Retailers and service providers have made it clear that many of the smaller payment gateway providers simply cannot afford to implement all of the data security requirements of PCI DSS. Rather than find another line of work, some of them are avoiding the issue of security or getting compliant by "working" the system via compensating controls, "easy grader" QSAs and other questionable techniques. This means that merchants who originally viewed the gateway business as a purely price-based decision should re-think their selection of a gateway vendor. I am not saying that you should not shop on price. I am saying that you should substantially narrow the list of vendors from which you choose.

PCI compliance should not be a "checkbox" for gateways. We all know that PCI compliance lends itself to a "checkbox" approach. However, if there is any time when you want to do serious due diligence, it is when you are choosing a company that is going to handle payment processing. On many of the payment gateway Web sites, you can’t even find mention of whether they are compliant.

When I’ve talked to some of these vendors, all I can get from most is "we’re PCI compliant" or "we’re on Visa’s list." But it’s clear that merchants considering these gateways need to focus on the specific "evidence" of compliance, and particularly the use of compensating controls. There is way too much trust being placed in these payment gateways for merchants to simply place "PCI compliance" on a spreadsheet or in a table and plug in "yes" or "no" and move on to the next item.

Maybe you should manage your own payment gateway. Many universities and diversified corporations manage their own payment gateways, and they have found it is a major improvement in reducing the scope of compliance assessments. By managing their gateway inhouse, typically working closely with their bank/card processor, they feel they are keeping control, while reducing both transaction and security management costs.

But there are some major risks with the "do it yourself" approach. In addition to fully owning all liability and breach response management, keeping up with fraud detection requires that the payment gateway owners do more than just achieve PCI compliance. Some of the payment gateways only provide basic Address Verification System (AVS) and Card Code Verification (CCV), so improving fraud detection may require software upgrades to get improved analytics, but the costs can generally be directly justified based on the money saved by reducing chargebacks.

Data security is a feature. Despite all the supposed awareness of PCI and data security in the payment community, we were surprised that when we searched for comparisons of payment gateways, virtually none of them had any focus on the security of the transactions or the overall service being provided. Therefore, it’s hard to fault a merchant who chooses a payment gateway that is less than secure.

One difficult decision is deciding when to outsource payment and security services to third parties. (For those who want to explore further, the PCI Knowledge Base is working with the National Retail Federation on a study of retail PCI best practices and payment is one of the top areas we’re looking at.)

I am concerned that many of the payment gateway vendors choose not to emphasize the security of customer data as a feature. I expect this will change. But, in the meantime, I certainly recommend doing a very thorough review of the specific controls that a prospective payment gateway would apply to your data and being very demanding when it comes to getting the "evidence" of compliance, particularly descriptions of any compensating controls. You’ll be much happier later on, if anything should happen.

Bottom line: If you made your payment gateway decisions (insource vs. outsource; vendor selection) more than three years ago and you didn’t do a thorough analysis of the security being accorded your payment data, then you need to re-think your decision now. If you’d like to argue with me, please send me an E-mail at or visit and click Register to join the PCI Knowledge Base.


2 Comments | Read Re-Thinking Payment Gateways

  1. Steve Sommers Says:

    I’m not sure if we are the exception to the rule or if we were overlooked in the story but we have always been open to how we protect the merchant’s data — both within our data centers and the technology we install at the merchant location to secure the cardholder data on the merchant’s network. Originally when we were added to the Visa certified provider list we did sell on “we’re on the list.” We were one of the first gateway providers on the list; why not use it as far as it will go? But that advantage didn’t last long. We quickly shifted to informing and demonstrating (sometimes maybe even flaunting) our technology. We view our technology as a distinguishing selling point —- after all and as you point out, anyone can get on the certified list via various means.

    I’m sorry David, I read all your stories and most of your points I agree and even the ones I don’t agree with your point I still see your point. But I’m confused here on where you are going with this one. A university example is given to demonstrate a case for insource gateway services but industry reports show universities as one of the riskiest places for cardholder data breaches. I couldn’t decide if this example was an argument for insource gateway services or an example where outsource services should be used.

    Maybe my confusion is my own preconditioning. I’m used to stories like “in-house is good; out-sourcing is bad” or visa-versa. Maybe your intent was simply “insource/outsource — you decide,” and like I said, I’m not used to that. While I’m a little confused with this story, keep them coming as your still batting over 900 on my books.

  2. Dave Taylor Says:

    Re: the Gateway piece. The funny thing is: I started out wanting to say something very simple, which is that payment gateways built or contracted for more than a few years ago may not provide the level of data protection that retailers need, simply because most decisions were made back then with data security as a minor consideration, if at all. (Even now, many of the providers do not mention PCI, or security. If they do, it’s treated as a simple checklist.
    I believe that whether in-sourced, or out-sourced, retailers need to do much more due diligence of their service provider’s data protection, and not take it for granted, based on “check mark” on a form.
    However, I wound up throwing in some other ideas, as you can see. But, as I say, my Bottom Line was meant to be very simple.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.