PCI – The Supermassive Small Merchant Black Hole


Existing in the commerce galaxy, the vast majority of merchants are doing “traveling” or business without proper safety controls or rather, information security controls in place. While I know of no single solution or silver bullet that can be purchased or leveraged to ensure absolute information security, there are many ways your store and customer data can be made more secure. Each participant in a commerce-based transaction – the retailer, the buyer, credit card processor, and the merchant’s bank – plays a unique role in ensuring that security.

Our marketplace once consisted of what were predominately localized transactions and interactions. Now everything has changed. We conduct business with our partners from anywhere around the globe thanks to digital communication networks. We live in a globally connected world and with the Internet; we are all essentially members of international organizations. Information security must evolve just as information security challenges or threats evolve. Cyberspace criminals are becoming more organized, more educated, and more brazen in their pursuits.

When it comes to cyberspace crime, it is all about financial gain through the theft of consumer identities and intellectual property. The largest business segment for cyber-criminals to target identities is in the retail marketplace. Just one credit card is used at dozens, hundreds, maybe even thousands of retail establishments from every part of the world. When is the last time you heard about a security breach at a credit card issuer like Visa or MasterCard? Citibank comes to mind, but no one else. When is the last time you heard about a security breach at a retail store? I’d run out of fingers and toes counting them off to you.

According to the U.S. Census Bureau, three quarters of all U.S. business firms are classified as small businesses (Source: U.S. Census Bureau). How many of these small businesses are required to comply with Payment Card Industry PCI security mandates?

Technically, all merchants are supposed to comply with these guidelines. However, anyone processing less than 6 million transactions a year must only claim compliance, which goes unverified. Do you think the honor system is going to be effective at protecting your business or customers from criminals? I say “criminal” instead of “cyber-criminal” because without effective and fundamental information security controls in place, data theft of a customer’s credit card information and personally identifying information is ripe for the picking by dishonest employees, dishonest support vendors and cyber-criminals alike.

According to Visa Inc., small merchants account for over 80 percent of compromise events (Source: VISA Inc.). Hackers love small businesses because they are usually not well protected. Regardless of size, any organization that is not protected will be targeted by cyber-criminals. As a business entity, the lifeblood of a business is the customer and the customer can only support business if their financial identity is solvent. This symbiotic relationship will not thrive without vigilance on both sides. Of course consumers need to keep their technology up to date and utilize secure methods of conducting business transactions. But it is extremely critical for merchants to protect their intellectual property, profits, and most importantly, protect their loyal customers’’ data.

The PCI Security Standards Council is an open global forum. The Council’s five founding global payment brands – American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. – all agreed to set security standards. On the positive side, these standards are consistent. On the negative side, some of them are antiquated by technological standards and must be updated.

For example, 3DES encryption is still authorized by the PCI consortium. 3DES was defeated in 2005. For discussion purposes, AES is faster and has not been defeated yet. So why have the requirements not been updated? One of the reasons is because it is expensive to update the technology to support high encryption rather than low encryption. This disconnect represents collusion between the PCI consortium and the financial institutions to “dumb down” security measures purely for business impact purposes.

Merchants and payment processing companies who do process more than 6 million credit card transactions annually must independently hire qualified security assessors (QSA). This independent business relationship between the buyer of required services and the seller of those services establishes the potential for collusion and fraud which I have seen in action first hand as a Chief Security Officer. The PCI certification is only as good as the honesty, integrity, and competence of the QSA, which in my experience is extremely subjective. I’ve never worked with a QSA who didn’t miss something crucial in their examinations, but the client company received a clean bill of health. Most of these merchants are trying to do the best they can; after all, it is their business and reputation on the line.

There are many other fundamental security measures that should be in place that are not required, measured, tested or reported on currently. Enterprise security is much more than just PCI. PCI only focuses on the commerce stream and very little else. If you are a merchant in the 80 percentile group, you must hire employees or bring in trusted partners that are subject matter experts in information security and who will ensure that all security measures are in place. If you do anything with this information, always get a second opinion. Have independent experts with a vested interest in your business success verify the results of your security personnel and QSAs.