PCI And Its Predatory Practices – What Went Wrong?
PCI (Payment Card Industry) Compliance is a confusing topic for merchants (to say the least). I was recently reading a good article at Practical Ecommerce titled Where the PCI Security Council Goes Wrong. In the article, many pitfalls and shortcomings of the PCI process are examined. It got me thinking about what we (and our clients) have been through with regards to PCI, what I see as the many problems with PCI, and a few suggestions on improving it.
LexiConn’s experience with PCI compliance…
Over the past year many of our clients received letters from their merchant account providers stating they needed to be PCI Compliant. Since we are partnered with McAfee Secure, and McAfee offers PCI scanning (known as an ASV – Approved Scanning Vendor), it seemed like a simple task. However, it was anything but simple:
- Some merchant account providers were partnered with different ASVs
This was the first hurdle to overcome. Since clients were working with a company that was not directly partnered with their Merchant Account Provider, there was an obscure process for proving PCI compliance. Issues such as emailing a PDF to a specific email address, faxing reports, and filling out additional forms were all obstacles in the way.
- Non-compliance fees assessed on monthly statements
Even though they followed the rules to the letter, some merchant account providers still added a PCI non-compliance fee. Clients needed to call and email numerous times to get fees removed after the fact.
- Hard sell call from our merchant account’s scanning partner
Just last week we received a call from the scanning company that partners with our merchant account company. They started the call talking about massive fines and how we were not compliant, and we needed to sign up for their service ASAP. We explained we were already compliant, and that it was acknowledged by our merchant account provider. The person on the call initially said we were not, but after our persistence, admitted they may not have the most up to date information.
If this is what the process is like for merchants, no wonder there is confusion!
Show me the money!
That’s what some of the companies are saying in the PCI industry. With these new PCI guidelines and rules, an entire industry was born overnight that is often making a cash grab for merchants’ money:
- Merchant account providers assessing fees by sneaking them into statements (non-compliance, PCI non-comp, etc…)
- Scanning companies (ASV’s) charging $100 – $1000 per year for PCI scanning
- ASV’s using scare tactics and fear to get merchants signed up
- Multiple lists of approved providers, approved software, etc… adding to the confusion
- Many lists of approved providers and software requiring large annual payments (thousands of dollars per year) to remain on the list
- Companies being charged $25,000 – $100,000+ to get their software approved.
ASVs are not all the same
When it comes to the various approved scanning vendors, they are not all created equal. A few things we’ve seen over the past year (as we work with our clients to get PCI compliant, we see how the various ASVs operate):
- One says pass, one says fail
Often times one scanning company will have an account pass, where another will fail on PCI compliance. Or, one vulnerability will be marked as non-PCI impacting, where another company will see it as causing PCI to fail. Often times our clients may even have 2 scanning vendors (due to their confusion about what is required, or being auto-enrolled by their merchant account provider) that return wildly different results, adding to the confusion.
- Some scanning companies are near impossible to work with
(probably because they’re too busy signing up all the merchants they can) Many times these scans are fully automated, and when you try to contact them to discuss an issue, it falls on deaf ears, or takes literally weeks for them to respond. If you do get a response, it’s often not remotely related to the issue, requiring this drawn out process to repeat itself, over and over.
- What caused the vulnerability? Nobody knows…
Sometimes a vulnerability will be listed, but the details do not show the URL or script name that caused this vulnerability to appear. It’s like looking for a needle in the haystack. The merchant (and more often than not, us) has to waste time trying to figure out what is actually seen as vulnerable. Asking the ASV is a shot in the dark…
Frustration mounts
It should not be like this. The process should not be muddled with confusing rules, different results based on which company you work with, and a lack of truly exceptional customer service when problems occur. This leads to increased merchant frustration, which leads to:
- Merchants ignoring PCI
- Merchants just trying to get their scan to PASS, regardless of how it’s achieved
- A distrust of the whole process, or dismissing it as profiteering
All of this results in merchants not truly understanding the need for better credit card security, and not adopting good practices that lead to better handling of sensitive data. Many times we see merchants that once they pass the scan, they think that’s it. They then download card data to their local computers, store it in Excel documents, email card data, etc… all the while thinking that’s fine as they are “PCI compliant”.
What can be done to improve PCI?
Well, I’m not on the PCI council or one of the experts in the field (although we deal with PCI issues on a daily basis), but a few ideas might be:
- Lists should be free
The list of approved service providers, or approved software packages should be free. There should only be one list to avoid confusion. Why charge thousands of dollars to be listed so that only the ones paying are listed?
- One central source of information
Although the PCI Security Standards Council is seen as the governing body, much more work needs to be done to unify the information out there, and present it in an understandable manner for SMBs.
- Merchant Account Providers as Teachers
More emphasis should be placed on teaching merchants (in easy to understand language) about good security practices and how to implement a truly effective PCI plan. Things like simple brochures, a personal visit to discuss PCI, or a webinar would all be good places to start.
- Scanning companies (ASVs) need to be reigned in, and the whole system overhauled
Between the scare tactics, mis-information, partnerships overriding common sense, and the money grab (some of these ASVs are less than 2 years old and bringing in 10 million or more in PROFIT each year), it’s like the wild west.
…
If the credit card companies and related PCI businesses would put the interests of the merchant ahead of their own agenda of shifting responsibility for a broken system onto the backs of merchants, this would go a long way to building trust and simplifying the system so more merchants would want to adopt these practices.
Agree? Disagree?
Looking for a web host that understands ecommerce and business hosting?
Check us out today!
Excellent article. Excellent journalism.
I agree with everything you’ve said, and want to thank you for helping me navigate the PCI mess.
You ought to distribute that article to a broader forum.
Cordially,
Steve / AdCracker.com
PS: I ignore the phone calls from the telemarketing creeps.
Thanks for the vote of confidence Steve! PCI is quite a mess, although if you limit your exposure to the actual card numbers, it can be simplified. Hopefully the industry gets the hint and starts to make it more straightforward and merchant friendly in 2010.
Interesting article, but is one of your solutions really plausible?… having people from merchant processor actually visit each merchant. Who would you suggest pay for this? Not to mention the cost of labor, what about the traveling/transportation costs? You mention in your article that you are upset about the fees and then mention a solution that will cause fees to go through the proverbial roof.
By the way, the PCI SSC is a unifying standards organization. Rather than simply complaining that the standards organization doesn’t provide unified info, your article fails to articulate exactly what “standard” you found somewhere else that is missing on PCI SSC website.
Thanks
Thanks for commenting. Although it may not be plausible or economical for a merchant processor to visit every client, my intent was to highlight the failure of many banks and merchant processors when it comes to helping their clients (merchants) understand PCI. When the merchant calls their provider, they are often given incorrect information, no information, or told to talk to someone else.
My point was to shed some light on a system that is predatory in nature, uses hidden fees and confusing requirements to often put profits above “real” security, and has encouraged an atmosphere of just trying to pass PCI instead of actually improving actual security.
I’m not attacking the PCI SSC organization directly. What I’m “attacking” is the implementation by ASVs and merchant account providers. We field so many support emails and calls about PCI issues, where the merchant is often very confused and just trying to meet all the requirements, all the while trying to make a living and accept payments from customers. Pushing the onus on the merchant to handle security is not the right answer in my opinion.
I wish I had the actual answer to this problem, but I’d have to be a lot smarter and able to leap tall buildings in a single bound. 😉