When PCI Compliance Is A Competitive Advantage

Written by Evan Schuman
October 23rd, 2008

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

Companies are beginning to extend the protection of PCI-driven security controls to other confidential data, which is great. What is even better is that some service providers are finding they can leverage their PCI compliance to gain a competitive advantage when prospecting for customers who are looking for a simplified, independent guarantee that their data will be secure when it’s entrusted to the service provider.

In short, PCI is becoming a "security brand" with value in the marketplace.

We have talked with several service providers who, after going through the self-described "hassle" of having their data management services assessed for compliance, find that they are getting requests from insurance companies and healthcare providers, as well as from banks and retailers, where PCI is mentioned in the same breath as SAS 70 certification as a form of independent validation of the security of the service provider.

  • PCI Compliments SAS 70
    When looking for a service provider, one of the standard things to ask for is their SAS 70 Type II audit. It is important to know that financial controls are in place and the business is solid. But the controls covered by this AICPA standard do not include the detailed data security controls that are at the heart of PCI DSS.

    Indeed, there really is no other shorthand way of asking a service provider what specific technical and procedural controls are in place to protect customer data other than PCI. In short, we recommend that companies who outsource the collection or management or storage of confidential data—beyond credit card data—look to PCI compliance as shorthand (or, God forbid, a checklist) for the set of controls it includes.

  • Marketing PCI Compliance
    Since it’s inception, PCI compliance has been treated as a "state," not unlike Nirvana, which an organization attempts to achieve to avoid fines, stop annoying letters from acquiring banks, etc. But PCI is becoming a marketing tool for service providers wishing to differentiate themselves on the basis of how well they secure the data they have under management. But to use PCI as a marketing message, the data that is subject to the controls cannot "merely" include credit card data. Some companies are talking about "beyond PCI compliance" as a way of saying that they apply PCI controls to other data. Others use the same term to indicate they apply additional controls that are not part of PCI, such as encrypting data over private networks or adding controls specifically designed to secure virtualized servers. So, even when it comes to standards, there is still plenty of room for "Wild, Wild West marketing."
  • Continuously Monitoring Service Providers
    As PCI-related services become more common because of increased outsourcing of payment processing and related functions, due diligence of service provider claims will necessarily increase. We’ve noted in previous columns how important it is to ask for more than a simple letter to indicate PCI compliance from a service provider. Increased reliance should also generate increased due diligence. What we expect to emerge, along with the enforcement of the payment application data security standards (PA DSS) next year, are a group of "meta service providers" who offer service provider monitoring on a nearly continuous basis. Some assessors and auditors do this today, but it is typically limited to annual PCI or SAS 70 reviews. We’re suggesting a more automated monitoring service and process because, frankly, continuous service provider monitoring is what’s needed to catch security breaches before they become multimillion record debacles.
  • Near Term Actions to Take
    If you’ve been through a PCI assessment (third-party or self-assessment), you should have a list of service providers related to PCI. Get out that list and start asking around to find out how long the list would be if you included any service provider responsible for collecting, managing or storing ANY confidential data. Then, see if you can find out who is primarily responsible for communicating with these service providers. Usually, Contracts Administration or Global Sourcing or some other department will own most of these relationships, but there will be others they don’t cover because IT often manages its own service providers. Also, see if you can get Internal Audit interested in reviewing service providers (if they’re not already). The goal of all this is to develop a more consistent, thorough and "continuous" service provider security review process. The same level of monitoring (and even alerting) should be in place for service providers as is in place for confidential data that is collected, managed and stored internally. It may seem like a pain, but it’s definitely a best practice as PCI becomes more of a competitive advantage.

    If you have a question about Service Providers, you can ask the PCI Knowledge Base panel of more than 75 PCI experts in our discussion forums. We have one specifically focused on Service Providers and Outsourcing. Also, if you’re a retailer, we want to get you involved in the PCI Best Practices study we’re doing with the National Retail Federation. It’s 100 percent anonymous. Just send us an E-mail at

  • advertisement

    Comments are closed.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.