Time to Revisit Intent of PCI DSS

Michael Vizard

While the intentions behind the payment card industry data security standard (PCI DSS) are probably noble, you have to wonder if the payment services industry is punishing all of its customers for its unwillingness to weed out the few miscreants that abuse the system.

While PCI DSS is in and of itself a good idea, the compliance effort around a set of technologies with dubious benefits is costly and burdensome. When you add up all the money being spent on that compliance effort, you can't help but wonder if it would be simpler and less expensive for all if the payment card issuers were to stop doing business with a minority of merchants that become embroiled in a fraudulent act until they can prove that they have put the appropriate level of security in place. In the grand scheme of things, that's got to be a less expensive way of accomplishing the goal, as opposed to requiring all your customers to spend huge amounts of money on PCI DSS compliance audits when most of them already have appropriate levels of security in place.

Of course, that means the payment card issuer might have to bear more of the cost associated with frauds, but that's part of their business risk. Punishing the entire merchant customer base with costly audits because you want to avoid that risk doesn't seem rational.

Moreover, given all the money spent marketing credit cards, would it not be better to take a percentage of that money and spend it on educating consumers on the benefits of doing business online with merchants that have attained a certain level of security? Right now, merchants spend a lot of time and money on PCI DSS compliance that nobody who does business with them has any knowledge or appreciation thereof.

The PCI DSS standard was clearly an attempt to overhaul online security. But like other overly broad overhauls, the fix to the system also needs an overhaul. Hopefully, the payment card issuers will take the opportunity afforded by the New Year to take a giant step back to reevaluate what they are trying to accomplish, versus what is actually being done to their merchant customers in the name of better security.

Add Comment      Leave a comment on this blog post
Jan 26, 2010 11:17 AM scott scott  says:

Totally agree, the PCI DCC has evolved from a set of requirements for e-commerce sites to now include any process that touches a credit card number, including recently digitally recorded phone conversations.

What needs to happen in the electronic payment industry is a move away from the static magnetic stripe technology. But until the issuers are effected by the cost of fraud, they will not move away from the cheap method of issuing cards and continue to force the acquirers to cover the cost for them.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.