Skip to content

PCISSC: Part of the Problem or Part of the Solution? | President’s Note


This is just a personal observation on the entire payment processing data security issue aka: “PCI”. It’s been six years since this issue has been on our radar screens. During that time the PCI Security Standards Council has issued two versions of security standards and data breaches persist with both small merchants and national chains with large IT staffs. The PCISSC points its finger at retail technology resellers stating that we are the cause of the data breaches, when the PCISSC standards are a band-aid for the antiquated mag stripe technology being used on our credit cards.

The PCISSC’s solution is not to provide a technology road map – they have stated that they don’t do that. Instead their solution is to create an education program for Retail Technology Integrators and Resellers (QIR). Make no mistake; this program is going to cost you money – which will go into the pockets of the PCISSC.

It is a customer driven IT, continually connected, data-based, omni-channel accessible, hardware agnostic, social community based marketplace. The market has changed, the future is bright and it’s time for all of us to get educated, step up our game and become “up to date, forward-thinking product geeks”.

While the PCISSC standards are a good start to data security, they are not the solution that solves the payment processing data breach problem. PCISSC is taking advantage of technology providers who already pay to update software and hardware products, pay QSAs (who are trained by the PCISSC) to validate their products to be compliant and then pay the PCISSC to post the names of validated products on the PCISSC website.

With the creation of our awareness video “Are You at Risk” – RSPA members began investing in a solution to mitigate data breaches. RSPA also created several online education modules called PCIwise and made this education available to our members and merchants at no cost. The next step was to make a PCIwise education credential a requirement for retail technology industry certification. We then launched a customer-facing website, so that end-users/merchants could find RSPA Certified companies and provide feedback on their performance. During this time we also made connections with the end-user/merchant based associations, such as the NRA, NRF, NGA etc., to promote the education and the benefits of working with RSPA industry certified retail technology providers. All of these activities are being supported by RSPA members. On the flip side, the PCISSC – which was established by the card brands – has made their education a revenue center. While good for PCISSC’s bottom line, it takes money from the hands that are trying to address the problem and puts it in their pockets.

Education and the distribution of knowledge are important and there is nothing wrong with multiple sources for education. My problem is that the PCISSC has been in several recent trade press articles stating that POS integrator/resellers are the cause of data breaches and their qualified integrator/reseller education program will solve that problem—classic example of F.U.D. (Fear, Uncertainty, & Doubt) marketing.

That said, our community of retail technology providers needs to advocate for themselves and we all need to step up our game. We need to become educated, certified and connect with the end-users/merchants as trusted advisors. Remember this is free education; it just takes some of your time. Equipped with this knowledge and the resources provided with RSPA industry certification, establish collaboration not conflict with your customer base. Maybe the PCISSC will see the light and join in to address the problem rather than simply using it to financially bleed the users of the product – yes that is cynical but factual. RSPA is here as your advocate and to help with education – take advantage and step up your game.

What are your thoughts? Leave a comment or question below.

One Comment leave one →
  1. wkisse permalink
    2012/09/26 10:34 am

    I agree with Joe and commend the RSPA in doing a remarkable and complex job to train resellers who are impacted by PCI security requirements as part of the benefits of association membership.

    The PCISSC is squarely placing the burden on Retail IT Solution Providers and end-users to “fix” THEIR flawed and outdated security.

    In making training/compliance a revenue-generating effort for PCISSC they have little reason to change their old and insecure system which makes this activity a truly bad-faith effort at correcting a system that should and can be “fixed” by a major overhaul in process/procedure.

    The total cost of this overhaul – and in the interim supporting resellers and end-users – should be borne by the organization that created this problem in the first place!

    Joe’s description of “cynical but factual” is accurate on both counts.

    What will it take to change this bad situation that does little if nothing to protect the solution providers and end-users?

    RSPA’s recent activity in collaboration with the NRA to encourage our representatives on Capitol Hill to become aware and consider legislation to change this may help the situation, but the solution rests squarely on the PCISSC.

    However, as stated the PCISSC’s solution is NOT to provide a technology roadmap, and absent this roadmap to guide change the only recourse may be legislation to encourage/force them to take the lead and either create this roadmap (at their expense) or come up with a new technology in its entirety that will serve the best interest of all.

    For the moment, the only thing the credit card and end-user industry can and should do is to respect the efforts of the RSPA and its members by in a manner that reasonably protects everyone involved involved.

    And this is currently not the case.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: