The Old PCI Squeeze Play

Written by Evan Schuman
October 30th, 2008

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

We have previously argued that there are far-reaching implications of the Payment Applications Data Security Standards (PA DSS) for the merchant community, as they affect thousands of payment, infrastructure and business management applications. But some concerns raised by Jake Star, technology VP at HEI Hotels and Resorts, take this to the next level.

Star writes, in a letter sent to news media, that he has come across "a new way in which PCI is sapping our limited IT budgets. As a merchant, I’ve got to ensure that the point-of-sale applications I use are PCI certified. So I spent almost $1 million upgrading systems last year. The POS vendor has a .X release each year, so I have a combination of systems on version 1.1 and 1.2. This year, they released 1.3."

His tale continues: "PCI comes out with an update to their standard (PCI DSS is version 1.2, as of October). There are no significant changes in the standard that would make a previous system non-compliant, but the POS vendor [name withheld by, at Star’s request] still needs to certify with the new version. The POS vendor, blaming everything on PCI, says they can only certify their two most recent versions (1.2 and 1.3). Voila! All my 1.1 systems are magically no longer compliant and need to be upgraded."

Star then makes a reasonable guess as to what will happen when the next tweak to PCI is announced. "The POS vendor has just effectively changed the lifecycle of their software from 5-7 years down to two. Combine that with a strategy that requires you to retire older POS terminals in order to use the new version, and they now get 40 percent of the original system cost every two years. The moral of the story is that when companies purchase their software, they should include a clause in the contract that requires the vendor maintain compliance with PCI for a certain period of time or offer free upgrades."

In other words, PA DSS compliance by software vendors will cost the merchant community many thousands of dollars every year. When one considers that PCI 1.2 was labeled as having only minor "clarifying" changes, having to pay for an upgrade to a newly "validated" version seems all the more galling.

  • The Payment Vendors’ Perspective
    From the payment application vendors’ perspective, the picture isn’t any prettier. We have interviewed quite a few applications vendors lately about PA DSS and they are less than thrilled with the review process. None of them objects to being more secure, or having that verified.

    Rather, the essence of the complaints is similar to the complaints about the airport security screening process by the U.S. Transportation Security Administration. The concern is that they are paying $10,000 to $30,000 per release (approximately) for testing, plus a listing fee when there are so many customization, integration, installation and administration changes that could affect the effective security of the product as used by the merchant.

    Even though the PA DSS testing process specifically mandates simulation of different configuration and use cases, the typical argument from the application vendors is that the nature of the software development process and customization means nearly constant re-testing because the Visa (now PCI SSC) "white list" is by version number. However, all of the vendors have made it clear that they will comply, because not being on the list increasingly translates into not being in the market.

  • The PCI Assessor’s Perspective
    We have also interviewed quite a few PCI assessors about this same issue. Their perspectives are not at odds with the vendors. They completely understand about the customization, integration, implementation and administrative issues.

    Their job, when reviewing a payment application, is to make sure that the specified controls are in place at the time of the assessment and under simulated installation conditions that are as accurate as possible and then to review all associated documentation (installation guides, etc.) for compliance. They have to ask the tough questions and search for clear, documented proof of the controls.

    But what they cannot do, and what virtually no auditor can do, is find information (e.g., security design flaws) that a vendor is deliberately hiding or is avoiding disclosing because it could keep them from getting on the "white list" for another 90 days and cause the vendor to lose a couple of major deals.

    Being on the PCI SSC vendor "white list" takes on increased market/revenue importance, but I expect that upper management of more payment (and payment-related) application vendors will start to build compliance into their business plans and SDLC. That would be great. Either that, or we’ll start to see vendors take more "desperate measures" to make sure they are on the list in time to hit their revenue targets. That would be not-so-great.

  • Advice for Merchants
    Star’s argument offers some very valuable advice to merchants: Make sure that your payment (and related) applications vendors provide and maintain a PA DSS-compliant version for an agreed-on period of time and offer free upgrades as needed to ensure the merchant does not fall out of PCI compliance because their payment applications have fallen off the PA DSS white list.

    This is important, not only because it will save the retailer money but also because many retailers, hotel chains, educational institutions, etc., may not have "compliance updates" in their contracts. These are common in financial services, government agencies, healthcare and other more heavily regulated industries. So it’s time to call the lawyers, contracts admin, global sourcing or whatever they’re called and review those contracts.

    If you have a question about PCI, PA DSS or any other related topic, you can ask the PCI Knowledge Base panel of more than 75 PCI experts in our discussion forums. We have one specifically focused on "Ask a QSA" and we’re considering adding one just for PA DSS. Let us know if you think that’s a good idea. Also, if you’re a retailer, we want to get you involved in the PCI Best Practices study we’re doing with the National Retail Federation. It’s 100 percent anonymous. Just send us an E-mail at

  • advertisement

    Comments are closed.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.