Retailers Need To Protect Themselves From Lying Vendors

Written by Walter Conway
July 14th, 2010

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

I am not a fan of boxing, but I seem to remember that just before the start of a fight the referee tells each boxer to “remember to protect yourself at all times.” I am starting to think that merchants need to take this advice when dealing with some payment system and application vendors.

If you don’t protect yourself at all times, you could end up paying a lot more in both money and time to become PCI compliant. With the Visa mandate on PA-DSS applications in full effect, it may be time for retailers to break out their boxing gloves.

A retail CIO’s life is complicated enough without having to deal with the few application vendors and service providers that lie. I’m not talking about the usual marketing hype or stretching the truth about how easy it is to install some software package. Rather, I’m talking about misrepresenting the impact of a vendor’s product or service on a retailer’s PCI compliance.

Regardless of the chain’s size–from a large retailer with lots of localized decision-making to a franchisor with franchisee-owned stores to even a midsize merchant without a large IT staff–this situation affects you.

I guess I could be diplomatic and say these vendors just don’t understand what PCI requires, but it is a bit late for that. PCI has been in effect for several years, so ignorance is no longer an excuse. That train has left the station. Any vendor that can’t properly describe how its application or service will impact a merchant’s PCI scope or compliance is–in this QSA’s opinion–simply not telling the truth.

Were the vendors genuinely ignorant of PCI? I do not know where stupidity ends and lying begins. But in my mind, such vendors misrepresent their products to their customers, and the customers are now paying the price.

To be fair, we need to remember that the lies may have two sources. It’s not necessarily the case that the vendor representatives in your office are lying about PCI. They may be honestly telling you what their company told them to say or what they read in a talking points memo. Instead, it may be their bosses who have lied.

On the other hand, you may have the opposite situation, where the vendor is being truthful but the reps have chosen to be stingy with the truth. Whether or not they know what they are saying is a lie is irrelevant to my point. You need to understand what PCI requires. The days of blindly trusting a specialized vendor for trusted counsel are, sadly, gone.

Here are some situations I have seen recently:

  • The first indication that should make you suspicious is when a vendor talks about being PCI “certified.”

    As far as I know, nothing in the world of PCI is “certified.” Payment applications may be validated, PIN encryption devices may be approved and service providers may be assessed or compliant, but nothing is certified. Maybe the vendor in this case is certifiable, but that is a separate discussion.

    The problem is that the retailer is left to pay the price in terms of increased risk, expanded PCI scope and possibly higher cost to become compliant.

  • You also may be dealing with a lying vendor if the reps talk about “how our partner is PCI compliant, so you have nothing to worry about.” In this case, it was a client who hosts a payment application that purportedly makes the merchant PCI compliant because the package connected to a Level 1 Service Provider. Unfortunately, the vendor told only half the story. What the vendor did not point out was that the client-hosted application processed payment card data before transmitting everything to the service provider. .

  • advertisement

    Comments are closed.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.