No matter whether you think the Payment Card Industry Data Security Standard (PCI DSS) is a positive or a negative, the one thing that everybody can agree on is that it's expensive.
Between securing all the credit card information and hiring the specialist to make sure your website complies with the standard, hundreds of thousands of dollars can quickly evaporate. Like all things related to security, there's no hard return on investment. So it shouldn't come as much of a surprise to find a lot of ongoing resistance to a PCI DSS standard that many people see as being overly complex, and of dubious value given all the recent breaches in the retail space.
But every time there is an IT pain point, some entrepreneur seems to come up with a solution. And the case of PCI DSS appears to be no exception. There are now several companies that have launched cloud computing services that essentially manage PCI DSS compliance on behalf of the retailer.
One of those companies, Verifi, launched a PCI DSS service today. The Verifi service, according to Jeff Sawitke, chief product officer for Verifi, promises tight integration with existing e-commerce applications so online retailers never have to store credit card data themselves. However, should they ever need those numbers to deal with a chargeback situation involving a bank, they can access them via the Verifi service.
ProPay is another company offering a similar service tightly coupled with e-commerce applications that is aimed directly at smaller companies. Scott Nelson, director of marketing for ProPay, says smaller online retailers have been hit especially hard by the cost of PCI DSS support, given their normally razor-thin margins, which in turn doesn't help the economy when small retailers start to disappear from online.
Chris Mark, one of the original consultants that helped drive the development of the PCI DSS standard and who now works for ProPay as an executive vice president, says it's unlikely we'll see any reduction in PCI DSS compliance, given all the security and banking industry politics involved.
Given that, the better course of valor is to share the PCI DSS pain with as many people as possible by making use of services that at least allow your company to leverage the benefits of what amount to new shared PCI DSS storage services in the cloud.