Archive for January 27th, 2010


Throwing Down The Gauntlet

I am having a bad day and just got done with a call with an acquiring bank and their PCI compliance coordinator.

What got me in a really foul mood was their demanding of my client that they take certain actions to better ensure the security of the acquiring bank’s transactions.  I do not know what it was, but their request just hit me wrong and I went on a rant.  However, after I was done, I started to think about it and said to myself, “Why not?”

My rant to this poor person revolved around why the card brands and acquiring banks do not expend their efforts to fix the credit card fraud problem instead of addressing the symptoms?  For the last ten years, the card brands have developed their various security programs that were merged together to form the various PCI compliance standards.  While these standards address the shortcomings of the existing processing environment, my impression is that the card brands are doing little, if nothing, to actually address the real problems.

How about we force the card brands to develop a truly secure credit card and related secure transaction processing?  Given the technology available today, one would think that with the right people involved, a secure credit card could be readily developed and at the same time, a secure transaction processing environment could be designed that does not allow the storage of cardholder data except at those points where it is required.  And at those points where cardholder data needs to be stored, these points are heavily secured, monitored and fortified against attack and the breaching of data.  Those projects alone would probably go so far as to reduce card fraud and breaches by 90% to 95%.

Yes, I know that such changes would not come quickly, but you might be surprised.  If a new, secure process and card was introduced and it provided the benefits that I think it likely would, a lot of merchants might actually have a reason to get on board and spend the money to fix the real problem.

So, how about it card brands and acquiring banks?  Are you up to the challenge?


Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

January 2010