Time to Revisit Intent of PCI DSS

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

While the intentions behind the payment card industry data security standard (PCI DSS) are probably noble, you have to wonder if the payment services industry is punishing all of its customers for its unwillingness to weed out the few miscreants that abuse the system.

While PCI DSS is in and of itself a good idea, the compliance effort around a set of technologies with dubious benefits is costly and burdensome. When you add up all the money being spent on that compliance effort, you can't help but wonder if it would be simpler and less expensive for all if the payment card issuers were to stop doing business with a minority of merchants that become embroiled in a fraudulent act until they can prove that they have put the appropriate level of security in place. In the grand scheme of things, that's got to be a less expensive way of accomplishing the goal, as opposed to requiring all your customers to spend huge amounts of money on PCI DSS compliance audits when most of them already have appropriate levels of security in place.

Of course, that means the payment card issuer might have to bear more of the cost associated with frauds, but that's part of their business risk. Punishing the entire merchant customer base with costly audits because you want to avoid that risk doesn't seem rational.

Moreover, given all the money spent marketing credit cards, would it not be better to take a percentage of that money and spend it on educating consumers on the benefits of doing business online with merchants that have attained a certain level of security? Right now, merchants spend a lot of time and money on PCI DSS compliance that nobody who does business with them has any knowledge or appreciation thereof.

The PCI DSS standard was clearly an attempt to overhaul online security. But like other overly broad overhauls, the fix to the system also needs an overhaul. Hopefully, the payment card issuers will take the opportunity afforded by the New Year to take a giant step back to reevaluate what they are trying to accomplish, versus what is actually being done to their merchant customers in the name of better security.