Shakedown? Mandatory Retail Buy List To Exclude ISVs Who Refuse To Pay PCI Tribute

Written by Evan Schuman
September 9th, 2008

In what some software vendors dub a shakedown, a PCI list of compliant applications—which retailers will soon be limited to purchasing from, if they want to stay PCI compliant—is excluding software vendors who decline to pay a financial tribute to PCI.

The list is from the Payment Application Best Practices (PABP) program, and retailers will soon be forced to limit their payment-related product purchases from that list. According to Visa, as of July 1, 2010, "Acquirers must ensure their merchants, VNPs (VisaNet Processors) and agents use only PABP-compliant applications."

Although that technically does not require a retailer to use only the apps on the list, they would be required to prove that the apps they choose are compliant. Retailers could perform their own testing or force the software vendor to prove compliance. But as a practical matter, it’s likely that the vast majority of retailers will simply use the already-approved applications on the list.

The list had been maintained by Visa, but it will be transitioned to a group within the Payment Card Industry Security Standards Council on October 1.

But why wait until the last minute? In late August, PCI started sending letters to already-listed application developers informing them of a change: All listings will require a $1,250 payment—per application, every year—as "a listing fee." Somehow, Visa managed to craft the list without such a fee.

Indeed, the notices were sent—with payment due immediately—more than a month before PCI even has control of the process.

One such software vendor, Shift4, has started rallying against the move on a blog run by its VP for application development.

"My feeling is that this is nothing more than an extortion letter. Upon reading this notification, I immediately responded to PCI DSS asking for a justification of the fee. So far, no response and I really don’t expect one," wrote that Shift4 VP, Steve Sommers. "I also called PCI SSC directly to verify the notification because it had such a scam smell. Much to my surprise and dismay, they confirmed it was legit. Now the program I have been promoting as ‘good for the industry’ reeks of a scam."

That may be a bit harsh, but this does raise some troubling issues. The intent of the list is that it’s as full and comprehensive a list as possible of compliant applications. What about smaller open-source vendors, whose applications might be superior to high-end applications for a much lower cost? What if they have seven or eight applications and can’t afford the $10,000?

This is especially problematic because this listing fee would be atop membership fees and the costs of paying for the assessments. "I think it is going to cripple PCI," Sommers said, "because vendor support is going to drop and who pays the fee for open-source projects that are slowly gaining momentum?"

Another issue for retailers to consider about the list is what protections it truly provides. One of the promises of PCI compliance is the much sought-after retail payment data safe harbor.

But like PCI compliance itself, the protection is far from ironclad. A post-breach thorough probe by Visa, banks, the Secret Service and anyone else can easily turn up things that were missed by a cursory initial assessment. If the retailer is found to not actually be compliant—regardless of whether they were certified compliant—that safe harbor is going to be about as safe as the Sunni Triangle after dark.

The list has similar issues. A retailer using a vendor on the list who happens to be caught up in a breach will also have its apps inspected. If an application is found to not be compliant, it’s unlikely that the vendor’s name being on a PCI list will help much.

David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner. He questions whether the list will provide much protection at all.

"If retailers and assessors could trust this list as a ‘safe harbor’ so that buying from the list would free them from repercussions should they be breached, then it could be worth buying only from the list," Taylor said. "However, after discussing this with several PCI assessors, they’ve been told by the (Security Standards Council) and in training classes that they must do their own validation of the vendor because assessors are signing off, and there are lots of version, configuration and implementation issues that could result in a single tested version being different in a number of ways from what is implemented by the retailer. That’s the software business for you."

Although neither PCI nor Visa would provide anyone to discuss this story, some anonymous discussion group postings (a minority, but some) have defended the move, saying that the fees are needed to allow the group to become financially independent from Visa.

Much of this problem might prove to be a lack of communication. It might be that the fees are justified to create the organization needed. There are 161 vendors on the list as of Aug. 31, a number that is almost certain to soar as the 2010 deadline approaches. (Some banks are demanding compliance sooner than 2010.)

It’s certainly possible that the listing fees might be reduced as the number of applications increases, but PCI hasn’t addressed that issue publicly. Without such information, it certainly can look like profiteering.

But the even worse perception problem is if retailers see the list as a series of advertisers and not as a comprehensive list of all compliant applications. It’s not clear, though, what recourse such merchants would have if they did perceive it that way. But anything that would undermine the perceived credibility of PCI as it tries to establish its independence from Visa can’t be good.


One Comment | Read Shakedown? Mandatory Retail Buy List To Exclude ISVs Who Refuse To Pay PCI Tribute

  1. Steve Sommers Says:

    Wow, David’s points are scary and open another can of worms! If the list does not buy a merchant anything, and the QSA’s are being told to validate all payment applications themselves, what exactly is the point of a PA-DSS assessment?


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.