Archive for October 8th, 2016


The Future Of PCI?

The 2016 North American Community Meeting was a celebration of the PCI SSC’s 10th anniversary.  And as with such anniversaries, the Council provided a look back and thoughts on the future.  During these looks into the future, I found some of their assertions questionable and they caused me to question the Council’s thought processes regarding the future of the Council and their standards.

The first instance was at Stephen Orfei’s keynote on the first day.  The General Manager of the PCI SSC proudly announced that the Council trains around 5,000 people annually and that there are current just over 2,000 QSAs and over 1,700 ISAs.  He then went on to explain that this is only the beginning and that more QSAs and ISAs would be needed.  But such a statement seems to be counter to where I think PCI is headed.

From the very beginning, the goal of the PCI standards has been to protect sensitive authentication data (SAD) and cardholder data (CHD) and the removal of it from processes that do not require it.  With most merchants moving to P2PE, E2EE and tokenization, the only scope at these merchants is going to be the card terminal or point of interaction (POI).  The only organizations that will have SAD/CHD remaining will be transaction processors and acquiring banks.  With that premise then why would there need to be growth in QSAs?  In my opinion, with merchant scope radically shrinking, the need to increase QSA and ISA counts is a pipe dream.

If there will be less of a need for QSAs, there will also likely be fewer QSACs.  Right now there are almost 370 QSACs in the world.  If all that will be left to actually assess are transaction processors, issuers and acquiring banks, then the number of QSACs will also have to shrink.  That means more competition for those transaction processors, issuers and acquiring banks until the QSAC numbers get to a more reasonable level based on market demand.

I could see the need for ISAs to potentially go up, but I would expect a lot of those people will just be QSAs that go in-house as the QSA numbers shrink.  With the scope of merchants shrinking so much, the need for ISAs is not going to be as large as I think the Council believes.  However, because of the silly Council rule that you cannot convert from a QSA to an ISA without going through the ISA training program, the Council will still have ISA training revenue regardless for the time being.

eCommerce will continue to be an ever larger part of merchants’ business.  But again, most merchants are moving to redirects and iFrames to reduce PCI scope.  While I fully expect the Council to adjust SAQ A to finally realistically address the risks of even redirects and iFrames that will likely not require any increase in ASVs who currently number 107.  Never mind the fact that the ASV business rapidly became a commodity long ago in its rush for every ASV to be a low cost provider.  As a result, there is very little margin left, if any at all, in ASV scanning.  Most ASVs are only in the business because they need to offer vulnerability scanning services to allow their clients to “one stop shop” their PCI compliance.  As a result, I really doubt that there will be any growth in the number of ASVs and I would not be surprised if the number of ASVs also drop over the next decade.

The next time I felt like the Council was going down the wrong path was when I attended the small merchant session.  What a waste of peoples’ time.  During that session, I leaned over to one of my colleagues who was there and I said, “Why is this taking so long?”

“What is your problem?” They asked.

“Why are they not just telling these small merchants to go to P2PE and tokenization?  Just get this done and done right.” I said very frustrated.

In my mind the small merchant session was 45 minutes too long.  This topic is one of those rare instances where it could be discussed in one of those TED Talk like 20 minute sessions.  Small merchants are looking for a quick answer and they have one.  P2PE and tokenization.  Period.  End of discussion.  Yet the group on stage continued to blather on and on and on.

There you have it.  I feel much better now that I have that off my chest.


Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

October 2016