Why Do PCI Scanning Companies Make Things So Difficult?

PCI – The 3 letter word that is a 4 letter word to most merchants.

PCI Compliance has become a mandatory event for any business that accepts credit cards. But even after years of refinement and streamlining, it’s still an arduous task for many merchants. Especially the small business owners.

It doesn’t have to be this way…

Make it easy to submit false positives

In a nutshell, PCI compliance for most small ecommerce merchants consists of a quarterly scan of their website, and an annual PCI questionnaire they must fill out. Sounds simple, right?

These automated scans often turn up false hits, which need to be addressed. Some PCI scanning companies offer a simple web-based reporting interface, that makes it easy to prove compliance.

However, one of the largest PCI scanning companies, Security Metrics (who has partnered with First Data Corporation, one of the largest merchant account providers), has no such interface. It requires an email from the merchant to request an issue be examined to be marked as a false positive. This is quite inconvenient for us as a web host to work with our clients, as we have to relay everything through the merchant, who in turn emails Security Metrics.

Email is slow. Email is not convenient for this type of reporting. We often have to wait days for Security Metrics to email the merchant back, who then forwards that email on to us, and if it requires further action, the whole process has to be repeated.

It makes the simple task of reporting a straight-forward false positive a nightmare in many cases!

Lack of consistency in tech support

Not to harp on Security Metrics (ok, actually I am because they are the ones that cause us and our clients the most problems), but they are guilty of another failure – The same explanation we use for one client that is accepted is sometimes rejected for another client.

That’s right, same server, same software, same false positive, and one merchant’s explanation is accepted, while that same explanation is rejected for another merchant.

Now we have to escalate the issue, repeat ourselves, reference other emails that were accepted, etc… More time wasted, frustrations mounting…

All of this could have been avoided if there was a central reporting feature!

Is Security Metrics to blame?

In some respects, yes. But the full blame does not land on them. I believe a lot of the blame is on the credit card companies for developing a system that clearly does not work well, and some would say does little to curb fraud and stolen credit card details.

I’ve written about the PCI industry in the past. I spend a good deal of time each day dealing with various PCI issues, 99% of them being false positives or not being an actual threat to credit card security. A lot of work and time is wasted in “traveling down the worm hole” to resolve these issues. And it’s frustrating, as I do not see much of it making things more secure or better for the merchant.


I don’t have all the answers, or the magic silver bullet to fix PCI. But I do know the current system does not work, and needs a major overhaul to actually improve security. It would be nice to see the emphasis and workload lifted off the small merchant, who shouldn’t have to suffer because of the shortcomings of the credit card industry.

Your thoughts?

Looking for a web host that understands ecommerce and business hosting?
Check us out today!


  1. SteveG says:

    I’m switching my merchant account provider specifically because of their relationship with Security Metrics.. Well that and I know more about PCI than they do..

    What kills me is that if you fail the PCI compliance many merchant providers do not shut you off, they don’t even tell you about the failure, but they do charge you an extra $20 for being out of compliance..

    It’s the old, well, you broke the rules, but for $20 we’ll look the other way.. Nudge nudge, wink wink..

    It’s wrong, and we shouldn’t be forced to deal with it.. There are so many ways that they could improve the entire PCI system, but I doubt anyone has bothered to talk to the people in the trenches, the merchants..

  2. Jason says:

    Well, honestly, what do you expect them to do about it? They are held to certain standards by the PCI and there’s absolutely nothing they can do about that… And honestly, for any merchant who has ever tried to do PCI Compliance on their own (the right way) would be more than glad to have the kind of help that SecurityMetrics offers. Yeah, it’s still a pain, but it’s way better than doing it on your own…
    My main suggestion is, stop whining about things you can’t change and be grateful for what you have!

    • Thanks for the feedback Jason. I’m not knocking the standards (besides a little dig at the industry as a whole) and adhering to them. But, there are other PCI scanning companies out there that we work with that do the job more efficiently and better than SecurityMetrics. They make our (and our clients) life easier when issues pop up.

      I don’t doubt that SecurityMetrics offers value in dealing with PCI related issues. I’d just like to see them improve their processes to make it easier to comply with all the rules and regulations PCI requires.

  3. SteveG says:

    “My main suggestion is, stop whining about things you can’t change and be grateful for what you have!”

    Wow, excellent response.. Except it’s wrong.. There is no whining, not even on my part I’ve been taken for a few hundred bucks because of this.. I want change.. I want accountability.. And I want a FAR more transparent process than we have had to date.. Then when you add what certainly looks like a back door agreement between processors and compliance companies, the whole thing simply reeks of a money grab with no real intention to resolve the issues..

    But that may just be me being cynical..

  4. John Galloway says:

    Security Metrics have a number of products that are used for PCI compliance. However none of them perform a quality job and are typically lagging behind competing products. This included their vulnerability scanning, their pan scan tool and their online pci portal.

    After working with their products and with other alternatives, it seems the security metrics model is to create basic products then push these through large banks onto small merchants who are not technical and will just accept whatever is put in front of them.

    This is a typical business case where you can take an ordinary product, spend lots of money on sales and marketing and squeeze as much revenue as possible from it.

  5. Paul van Woensel says:

    We currently are using Security Metrics and extrememly unhappy with the service. The same false positives over and over. Sites that are hosted by the same servers as other site fail, while the other passes.

    There are still 3 months left on our contract, but I would love to suggest a different / better experience.

    Who switched to what and how are you liking similar priced options?

Leave a Reply