Archive for March 16th, 2009


Stick or Carrot?

Over the weekend, Visa released a statement on the Heartland and RBS WorldPay breaches.  In addition, the Deputy Chief Risk Officer was given a chance by InformationWeek to rebut their complaints regarding the relevance of PCI DSS compliance.  I am concerned about the mixed messages these two articles have for organizations trying to get to and maintain PCI compliance.

The Visa announcement regarding Heartland and RBS indicates that Visa is going to bring out a pretty big stick against these two organizations.  They have been delisted from Visa’s compliant processor list and have been told to conduct new PCI Report On Compliance (ROC) assessments.  However, unlike CardSystems almost three years earlier, Visa stopped short of giving either a death sentence by saying they would refuse to accept transactions after a certain date.  A number of security analysts complained about this saying that Visa should have been harder on both processors.

On the same day, InformationWeek released a rebuttal by the Deputy Chief Risk Officer of Visa, Adrian Phillips, on why PCI compliance is still relevant.  For those of you not following InformationWeek, they have been hard on the PCI Data Security Standard.  At the end of his article, Mr. Phillips states:

“In sum, there’s no silver bullet when it comes to protecting consumer data. As criminals get better at what they do, our efforts to stop them must keep pace. We should continue to explore new tools to help prevent or limit fraud in our system, including encryption, authentication technology, and customer alerts. But while we evaluate the costs and merits of these additional solutions, we must continue to deploy the best tools we have available today to fight fraud–starting with the PCI DSS. PCI DSS compliance simply remains the best defense for businesses against the loss of sensitive consumer information.”

If you are like me, you are scratching your head and saying to yourself, “What’s going on here?”  However, take a step back and think about it a bit.  While on its face, the two statements seem a bit schizophrenic, they are actually somewhat compatible.  Although, I would argue that eventually, Visa and the other card brands will have to pull back on the ‘really big stick’ approach and adopt more of the ‘carrot’ method, at least as it comes to its processors.

Why?  Because eventually, merchants will have systems that do not store cardholder data.  And those large merchants that do their own centralized switching of transactions and processors will have no choice but to continue to hold cardholder data for a variety of reasons such as recurring payments, loyalty programs, fraud analysis and other worthwhile business purposes.  They will become the targets along with the card brands’ systems.  And, as Mr. Phillips points out and I have argued in an earlier post, security is not perfect and all we can do is be diligent in protecting cardholder data.

As a result, Visa and the other card brands will have to get out of the penalty game with their processors and large merchants because no one has a perfect security environment and no one ever will.  If that is the case, how can the card brands justify the ‘big stick’ approach if security cannot always be maintained?  They cannot and ultimately they will figure this out.  Let us just hope they wise up soon.


Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

March 2009