The 2016 North American Community Meeting was a celebration of the PCI SSC’s 10th anniversary. And as with such anniversaries, the Council provided a look back and thoughts on the future. During these looks into the future, I found some of their assertions questionable and they caused me to question the Council’s thought processes regarding the future of the Council and their standards.
The first instance was at Stephen Orfei’s keynote on the first day. The General Manager of the PCI SSC proudly announced that the Council trains around 5,000 people annually and that there are current just over 2,000 QSAs and over 1,700 ISAs. He then went on to explain that this is only the beginning and that more QSAs and ISAs would be needed. But such a statement seems to be counter to where I think PCI is headed.
From the very beginning, the goal of the PCI standards has been to protect sensitive authentication data (SAD) and cardholder data (CHD) and the removal of it from processes that do not require it. With most merchants moving to P2PE, E2EE and tokenization, the only scope at these merchants is going to be the card terminal or point of interaction (POI). The only organizations that will have SAD/CHD remaining will be transaction processors and acquiring banks. With that premise then why would there need to be growth in QSAs? In my opinion, with merchant scope radically shrinking, the need to increase QSA and ISA counts is a pipe dream.
If there will be less of a need for QSAs, there will also likely be fewer QSACs. Right now there are almost 370 QSACs in the world. If all that will be left to actually assess are transaction processors, issuers and acquiring banks, then the number of QSACs will also have to shrink. That means more competition for those transaction processors, issuers and acquiring banks until the QSAC numbers get to a more reasonable level based on market demand.
I could see the need for ISAs to potentially go up, but I would expect a lot of those people will just be QSAs that go in-house as the QSA numbers shrink. With the scope of merchants shrinking so much, the need for ISAs is not going to be as large as I think the Council believes. However, because of the silly Council rule that you cannot convert from a QSA to an ISA without going through the ISA training program, the Council will still have ISA training revenue regardless for the time being.
eCommerce will continue to be an ever larger part of merchants’ business. But again, most merchants are moving to redirects and iFrames to reduce PCI scope. While I fully expect the Council to adjust SAQ A to finally realistically address the risks of even redirects and iFrames that will likely not require any increase in ASVs who currently number 107. Never mind the fact that the ASV business rapidly became a commodity long ago in its rush for every ASV to be a low cost provider. As a result, there is very little margin left, if any at all, in ASV scanning. Most ASVs are only in the business because they need to offer vulnerability scanning services to allow their clients to “one stop shop” their PCI compliance. As a result, I really doubt that there will be any growth in the number of ASVs and I would not be surprised if the number of ASVs also drop over the next decade.
The next time I felt like the Council was going down the wrong path was when I attended the small merchant session. What a waste of peoples’ time. During that session, I leaned over to one of my colleagues who was there and I said, “Why is this taking so long?”
“What is your problem?” They asked.
“Why are they not just telling these small merchants to go to P2PE and tokenization? Just get this done and done right.” I said very frustrated.
In my mind the small merchant session was 45 minutes too long. This topic is one of those rare instances where it could be discussed in one of those TED Talk like 20 minute sessions. Small merchants are looking for a quick answer and they have one. P2PE and tokenization. Period. End of discussion. Yet the group on stage continued to blather on and on and on.
There you have it. I feel much better now that I have that off my chest.
PCI Guru 
Hi PCI Guru,
I work for a payment company. They have a payment switch. There is a Cert environment and a Prod environment. Both are on different subnets. However, there is a controlled access between the 2 via a firewall. My question to you is, does the Cert environment come under PCI scope? Cert environment is where the testing happens. You call it test environment.
If it is connected in any way to the production system, then yes it is in scope for PCI compliance and assessment.
Even if the solution the merchant uses is P2PE it still has to be a validated solution correct? The acquiring bank can’t just say , “Oh your solution is P2PE so you can use the P2PE SAQ”.
First, P2PE is the name of the assessment process that validates the solutions. So any solution on the PCI SSC’s Web site under the P2PE validated solutions will allow the merchant to be eligible to use the SAQ P2PE. Other factors that come into play with this are the merchant level of the merchant and if the merchant has any other payment channels. SAQs can only be used by merchant Level 3 & 4 (MasterCard requires Level 2 merchants to do a ROC). If the merchant has eCommerce in addition to card present for example, then they could not use the SAQ P2PE.
Your statement about MasterCard’s requirement is not strictly true. MasterCard’s Level 2 validation requirements state, “EITHER Annual Self-assessment Questionnaire conducted by an ISA or QSA acting as an ISA OR, at merchant’s discretion, annual onsite assessment conducted by a QSA”. A ROC is discretionary, not mandatory with MC.
Agreed.
Well written, thanks again for the useful insight.
The PCI standards will still exist, it just will not be that big a deal for merchants that have implemented P2PE/E2EE and tokenization. They will likely sign some official form and submit it to their bank that they still have P2PE/E2EE and tokenization and no longer present a risk to the card processing ecosystem.
The reason I believe the standards have to exist is because without them, organizations that do process, store or transmit sensitive authentication data (SAD) and cardholder data (CHD) will fall back into old bad habits without having someone to constantly remind them of their responsibilities. However the organizations that will covered by those regulations will be transaction gateways, transaction processors, card issuers and the banks – not merchants who will be out of the SAD/CHD data loop.
Well put. The Council has turned into what many well-meaning groups do if they stick around too long: an organization dedicated to its own longevity. The Five C’s that started it (Visa, MasterCard, American Express, Discover and JCB) could easily have subsidized a small group dedicated to developing new, open methods for card and transaction protection but it turned itself into a profit center. They created a mini-industry of ASV Scanners and QSA’s who rely on the Council for their longevity, feeding the Council and their own existence with their membership fees.
In retrospect the Heartland breach was the best thing that could have happened to the industry because they found religion and pushed end-to-end encryption when the Council didn’t even have it on its agenda. E2EE, P2PE and tokenization became a disruptive technology to the Council’s existence and business model.
The future of PCI, I think is without PCI or PCI assigned to a specialist company of PCI wholesaling PCI free (100% “compliant”) merchant accounts. Some invention is needed perhaps. Otherwise the result will be millions of small businesses and self employed people closing their merchant accounts and going all cash while new and more, more and new and new and more PCI and other fees that are born every so often are strangling small merchants with no way to become PCI compliant. I am one of them and I just closed my merchant account going all cash after many years being charged ridiculous and ever growing amounts of fees and charges and what’s worst that I had no choice but to pay those fees and charges and penalties, since it was intentionally made so I do not comply with PCI so they can keep on charging their “PCI non-compliant penalties and fees” on top of fees and on top of more fees and I have a proof of that. Bye bye PCI, I feel so relieved now and free just like back in the 1776.