PCI-Council General Manager on Non-Compliance 'Russian Roulette'


Most merchants prefer the concept of the credit card industry policing itself, versus lawmakers getting involved. PCI Security Standards Council is the industry's effort to do that. But how ecommerce merchants become compliant and meet PCI criteria is confusing to many, and the penalty for not being compliant is tough to comprehend, too. We talked with Bob Russo, general manager of the PCI Security Standards Council, to help sort out these and other questions.

Practical eCommerce: What does the PCI Security Standards Council do?

Bob Russo:"The PCI Security Standards Council is a body that makes the standards for protecting credit cards worldwide. This is done through several different ways, not the least of which is via components that we call'participating organizations' that give us their feedback.

"Since these are international standards, the participating organizations can be found around the world. And there are things that are specific only in various verticals, but also in various locations globally. All that is considered as these criteria are updated. We go through a life cycle process on every of these standards and our sole aim is to safeguard credit card information however and where it's accepted. The mantra is, if you store, process or transmit credit card information, you should be compliant with these standards to safeguard that data."

Our products:

Magento 2 pos

Bigcommerce pos software

Woocommerce pos app

Shopify pos app

Commercetools Pos

MSI

PEC: Where does the Council get its funding?

Russo:"The Council is self-funded at this time. There are fees associated with becoming a member of the Council listed on our site. Therefore, if some of your listeners is interested in getting participants within the Council in helping us evolve these criteria and moving forward, I'd encourage them to visit the website and take a look at that.

"There are fees for becoming an assessor. We not only vet each the assessor businesses, we train them on a yearly basis. We also conduct training for anybody who wishes to know about PCI, anything from high level overview instruction of exactly what the criteria are and how they impact you and why you need to be complying with them, all of the way down to the technical facets of getting an assessor and staying current with your credentials."

PEC: Is it fair to say that the significant credit card companies -- Visa, American Express, MasterCard, and Discover -- made this business to self-police the ethics of credit card information?

Russo:"This is a fairly good description. The PCI Security Standards Council is the ideal example of business doing a very, very good job of policing itself."

PEC: Can you describe what it means for an ecommerce merchant to be PCI compliant?

Russo:"Well, to begin with, compliance is something that's dictated by each of the credit card brands. They all have different compliance programs, and all of them use these criteria as the foundation for every of those compliance applications. The [credit card companies] demand compliance. [The Council] does not require compliance and you do not report your compliance with us. You report it to your acquiring bank or to the brands right.

"We're only responsible for putting together the criteria. And, essentially, these criteria are a collection of best practices in the industry. The criteria are more related to safety than compliance.

"A fantastic way to think about compliance is that we are the individuals who say you need to put deadbolt locks on all your doors. As soon as you've done that, yes, you're compliantnonetheless, it then becomes your responsibility to lock those deadbolt locks everyday. And that is what this is all about, safety, as opposed to compliance.

"So, if you think of it at the safety vein, and you do things which are essentially best practices and commonsense, compliance comes along as a byproduct."

PEC: Do all ecommerce merchants that accept credit cards will need to be PCI compliant?

Russo:"The principles which the credit card brands set out with regard to compliance are, if you store, process or transmit credit card information, you ought to be compliant. Irrespective of whether that's 1 credit card one million credit cards, you should be compliant with the standards."

PEC: With a current Practical eCommerce estimate, there are over 600 online shopping carts, but only about ten percent are formally recorded as PCI approved. What do you make of this?

Russo:"I think that should put a warning flag up for ecommerce merchants. One of the first things they need to do is ask their service provider or shopping cart programmer if they're compliant with PCI. If they say no, as an ecommerce merchant, I'd like to know why not. And I'd seriously consider not using something which is actually not compliant with the standard.

"I mean you are really taking a huge chance with your company at that point. There's the specter of remediation that needs to take place. There's the specter of a fine. The biggest issue is the standing. Should you go through a breach, you might have a great deal of customers that will tend to not return and shop with you. That is absolutely the worst thing that could happen to any merchant."

PEC: Some cart suppliers appear to get confused about PCI compliance. Is there a way for merchants find out if their cart suppliers are approved, besides requesting their cart suppliers?

Russo:"A great guideline is if you do not see it on our list, odds are they have not started anything. I'd liken it to buying a car and saying,'Okay, where are the airbags in this vehicle?' Along with your salesman says,'We're putting airbags in this car and once we send the car to you. It must be there anytime, but right now I can not show you a version with airbags inside.' I'd run for the hills. I'd want to see evidence that these individuals are PCI compliant.

"We are talking about my [the merchant's] company today. The application vendor isn't the one that is going to have a good or lose the client, it's going to be me [the merchant]. So, finally, I need to take the responsibility for my own organization."

PEC: there's a list on a different site for approved hosted carts or service suppliers, and approved licensed carts --"payment applications," to use PCI's expression -- are located on your website. Where if a merchant go ?

Russo:"Probably the simplest is to go to the PCI Security Standards Council site . These listings are there. Our site has just been redesigned so it is easily navigable, particularly for smaller merchants.

"If they do not find what they're searching for, they could send an email to anyone in the Council, including only inquiries in the Council. There's an FAQ which can be found on the website. If you start to type a question and it has an answer, it is going to bring it to you. If it does not have a response, it is going to throw you in question queue and permit you to ask that question.

"But if you do not wish to experience this, then send me an email at: brusso@pcissc.org. I can allow you to know if something is in the queue, or moving through the process of being assessed and data was submitted to the Council, or if you're on a specific application. I can provide you advice on where to find what you're searching for, to cut through all the sales pitches and get down to the real brass tacks of protecting your credit card information."

PEC: Though there's a whole lot of talk about needing to comply with PCI standards, there don't appear to have been any actual consequences for non-compliant merchants thus far.

Russo:"I completely disagree. You are playing Russian roulette here along with your organization. While there may be no validation requirement (which is to say that you can not need to prove to anybody that you're PCI compliant), if actually you go through a breach and you're found not to be compliant at the time of this violation, then you will find tremendous ramifications.

"There are penalties, and for a small company, a good could put them out of business. There's the specter of customers walking away because they have either figured out, or -- with our breach notification laws -- somebody has told them that the violation occurred at the merchant's website. There is the specter that they won't store with the merchant anymore because they feel like you [the merchant] aren't keeping their information safe, whether it be credit card information or personal details. It's a really major issue. Are your readers eager to play Russian roulette? They are the only ones that will answer that question."

PEC: Have there been breaches in which a merchant isn't compliant with the PCI standards and that noncompliance has caused a merchant to incur additional penalties?

Russo: "Absolutely. Countless hundreds of merchants have experienced breaches and been found to have been compliant in the violation and have suffered losses. And not just the big ones, but also the tiny mom-and-pop shops which are doing business online.

"There's the specter of going out of business. I mean it's that serious. This past year I think there were 600 or so reported breaches. There are breach tests that are done, which are put out by [forensic companies]. Verizon, for instance, puts a breach questionnaire based on each the breaches they've researched in the past year. There are lots of forensic companies out there that are exploring these breaches; and not just the big ones, the tiny ones also.

"You are talking literally hundreds, if not thousands, of breaches which occur because people aren't doing the very simple, basic things they need to do so as to safeguard this data. You should really think about these standards as a baseline rather than the ceiling. I mean this is the bare minimum you ought to be doing, just like good business practice is to safeguard this data.

"You will find breach statistics which are put out by numerous forensics companies. [I said ] Verizon. Another is Trustwave, among our QSAs that place these out.

"[You can have] any sort of a bot in your system that is searching for breaches, or go to Google and key in'charge card breaches for 2010'. It'll bring up a massive list of what is there.

"YouTube has videos put out by a lot of different organizations talking about smaller merchants. 1 video put out by a company named RSPA (Retail Solutions Providers Association) is about a bad supplier who owns a restaurant. He got breached and endured fines and costs from the six-figure variety. For a small restaurant, it almost literally put them out of business. So, this is serious stuff."

PEC: That movie you mentioned is a industry-produced, right?

Russo:"Yes, it's generated by resellers."

PEC: We know there are a few open seats on the governing board of the PCI Security Standards Council. Please inform us about that.

Russo:"We are just about to start a culmination period for our board of advisors. Our board is composed of 21 advisors worldwide, as it's a worldwide standard that reflects all different vertical industries in addition to all international sectors, so we cover the whole world.

"You can nominate yourself if you're among these participating organizations within the Council. We now number over 600 of those participations from the Council. Any one of your readers can join. It is not expensive at all. There are a plethora of benefits you will reap by being a member of the PCI Security Standards Council. There's more information on the website.

"Once we've gone through this nomination procedure for about a month, those 600 or more participating organizations start voting on the internet, and the consultants are chosen for a long-term term.

"To give you an example of some of the people that now sit on our board right now, we have got Bank of America, Barclaycard, Chase Paymentech, Citrix, Exxon Mobil, First Data, JPMorgan Chase, Lufthansa, McDonald's, MICROS, PayPal, TSYS Acquiring Solutions, VeriFone, Walmart, Bank of Scotland. It's a really diverse group of individuals and we rely on them heavily to provide us information about the best way best to upgrade these criteria throughout the years."


Comments

Post a Comment

Popular posts from this blog

Payments, Payment Rails and Blockchains and the Metaverse

  Source: https://www.matthewball.vc/all/metaversepayments The Metaverse was positioned throughout this primer as both a successor state for the mobile internet and a platform that allows humans to enjoy leisure, work, and exist in the larger world.   A thriving economy is key to the success of this vision.   And we know what makes for a thriving economy: competition and a constant cycle of disruption/displacement, a large number of profitable enterprises (especially small-to-medium businesses), capital mobility, strong consumer spending. I have discussed the technologies that contribute to this result in Section VI .   But, I neglected to mention one of the most crucial interchange tools and standards: payments rails and related services.   These technologies allow and manage money flow throughout the economy. They also define the "cost of doing business", for all workers and consumers.   They're already a problem battleground for hegemony within the emerging Metaverse.
Read more

Here are 9 reasons why real estate agents fail

  Here are 9 reasons why real estate agents fail One of the most shocking statistics in the real-estate industry is the fact that between 85% and 90% of agents quit within five years.   This means that if you are in a prelicensing group of 10, nine out of the 10 will no longer be in the same industry five years from now.   We have examined the nine most common reasons real estate agents fail and how to avoid them. 1.   Failure to account for upfront expenses Agents in real estate are independent contractors and not salaried employees.   Even if you are employed by a brokerage, this means that you are the sole owner of your business.   This means that, while some brokerages offer perks such as advertising or marketing, most of your expenses must be paid for.   A typical real estate agent will spend an average  $11,500  per year on business expenses. Top performers often spend more.   This includes everything, from leads to insurance, advertising and marketing costs to travel. Real estat
Read more

HOW TO INTEGRATE YOUR POS SYSTEM WITH A WEBSITE

Ecommerce and POS integration was not something many mom and pop retailers gave much thought about 10 or 15 years back. Today, it's something all retail store owners need to take into consideration if they want to bring their business to the next level. If you're strictly a brick and mortar store, make this year the year you begin your online store. With worldwide ecommerce sales expected to reach more than $4 trillion by 2020, there's no reason why some of that money can not be yours. Especially when technology has made it simpler and less expensive than ever to have an online presence and webstore to support your physical one. Ecommerce and POS integration can look like a lot of technical nonsense that leaves retailers like you scratching your head in confusion, but it's not. Simply put, an integration is a term used to describe the way two different businesses locate a shared communication path and combine their respective technologies to create a more comprehensiv
Read more