Archive for March 30th, 2018


There Is No Such Thing As PCI “Magic”

It still amazes me the amount of effort some people and organizations expend in vain and silly attempts to “avoid” PCI compliance.  But an entire industry has popped up that claims to have just such “magical” solutions.

First and foremost is the fact that when your organization signed the merchant agreement to accept payment cards with your acquiring bank, you agreed to comply with the PCI DSS.  Unless your organization is willing to stop accepting payment cards, you are stuck with complying with the PCI DSS.

What you can do though is implement solutions that minimize your PCI scope and therefore simplify your PCI compliance efforts.  For those of you that need to cut to the chase, here are the ONLY solutions that minimize your PCI scope.

  • If you operate a brick and mortar retail store, implement a point-to-point encryption (P2PE) validated solution or end-to-end encryption (E2EE) solution – both with tokenization. Do NOT enter primary account number (PAN) and sensitive authentication data (SAD) through anything other than the P2PE/E2EE terminal.  This will reduce your scope to those requirements in SAQ P2PE.
  • If you conduct mail order and/or telephone order (MOTO), use a P2PE/E2EE solution with tokenization. Do NOT enter PAN and SAD through anything other than the P2PE/E2EE terminal.  This will reduce your scope to those requirements in SAQ P2PE.
  • If you have an eCommerce Web site, use a redirect solution such as PayPal or an iFrame solution from a transaction processor such as those available from Vantiv, Elavon or TrustCommerce with tokenization. Implementing either of these solutions will reduce your scope to the requirements in SAQ A.
  • If you need to do recurring transactions, do not store card information at all. Have your transaction processor send back reusable tokens instead when a customer puts a card on file.  Your processor can also likely provide you with a service to automatically update card expiration dates and card validation codes for a fee and save you from badgering customers to update their payment card accounts every three to four years.  How much this approach reduces your scope will depend on your organization’s payment channels such as eCommerce, MOTO, or brick and mortar retail.

There are no other ways to minimize PCI scope other than these.  For those that are interested, the absolute minimum PCI scope any organization can achieve are the requirements documented in SAQ A (i.e., a merchant with ONLY an eCommerce site using a redirect or iFrame).  There is nothing less.  Period.  Anyone that tells you otherwise does not know what they are talking about.

An important caveat on this discussion.  The more payment channels your organization uses, the less scope reduction you get.  For example, if your organization operates brick and mortar stores and also has an eCommerce site, you will have to comply with the requirements in both SAQ A AND SAQ P2PE if you follow my advice.  So keep that in mind as you evaluate and implement these solutions.

Yet time and again, I encounter organizations spending lots and lots of time, effort and money on all sorts of “magical” PCI compliant solutions sold by “snake oil” salespeople praying on the PCI uninitiated.  They promise all sorts of “magic” that will reduce PCI scope or, worst of all, remove your organization from PCI scope.  None of them deliver and people are deeply disappointed when they finally contact a QSA (or worse, their bank calls out the solution) and they find out that the money spent was all in vain and did not actually reduce or remove them from scope like they were promised.

Adding insult to injury is the fact that if the merchant had truly understood the solution and the PCI compliance process, it was all documented in the vendor’s contract as to how much scope reduction would actually be delivered (i.e., not a lot).

Stop spending so much time and money on Rube Goldberg solutions.  In the end, they are typically costly, complicated and likely do not reduce scope any better than the solutions outlined above.

The bottom line here is, if it sounds too good to be true, it likely is.


Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

March 2018