A while back I wrote an article entitled “The Shocking Truth About Retailers & PCI” in which I shared the results of a retailer-focused survey. The gist was that retailers, particularly in the SMB space, apparently have a low level of knowledge concerning PCI and its related terms and concepts. This, despite mandates and requirements going back years. Shame on them, right?!
I went on to explain how this is a great opportunity for retail IT resellers to flex their trusted advisor muscles and offer guidance and wisdom to their customers.
But that’s not the end of the story. Yesterday, in putting together a white paper on the state of PCI and the VAR, ISV (independent software vendor), and retailer ecosystem, I came across some interesting data from a Business Solutions survey which made me consider that lack of PCI awareness might not just be a retailer problem.
In the survey of Business Solutions subscribers, ISVs had some choice words for VARs (and merchants of course). Here are a just a couple quotes from ISVs:
In all honesty, resellers that we encounter could care less about PCI compliance. I feel as if it is only us software companies that care. The industry is still to this day ignorant about the topic of PCI, which is unfortunate.”
The majority of our resellers do NOT care about PCI compliance. It blows me away, but it is true.”
Despite such sentiments coming from ISVs, 87% of surveyed VARs indicated that they feel properly trained to discuss POS security with merchants. If that’s true, what’s going on here? Is this a case of VARs thinking they know more than they do? Or, do VARs not focus on, or speak with customers about PCI because they think that once a PCI-certified software is installed, the issue is in their rear-view mirror?
One additional nagging data point which may or may not be relevant: Business Solutions newsletters sent out with PCI in the subject lines perform horribly, having low open and click-through rates. It appears to me as if our VAR readers don’t want to read about PCI. In fact, maybe this blog post is destined to be more of a diary entry, for my eyes only.
All this leaves me wondering, who cares about PCI? Clearly, ISVs are forced to care. But the rest of the ecosystem — VARs and merchants — I’m not sure they do.
November 27, 2012 at 2:27 pm
Mike
you are right on the money! What’s wrong is that if you become non compliant by not following through every year and they just bill the merchant the 19.95 non compliance fee every month, it has become a profit maker and their is no enforcement, i.e. shut the account down until the questionnaire is complete and/or the scan is done. This is when people will get serious. However, since everyone seems to be profiting on this now as additional revenue stream why should they get serious?
December 4, 2012 at 8:38 am
Mike,
Your recent articles on the topic of PCI have garnered a lot of attention, and they have certainly captured the attention of us here at the RSPA. We are appreciative that you are writing about PCI Security, raising awareness, creating conversation, and calling attention to the critical issues regarding PCI Security that need improvement.
RSPA works directly with the PCISSC (PCI Security Standards Council), the card brands and merchant-based associations in a continuous effort to keep both PCI and PII data security top of mind. It is our position at RSPA that most industry professionals do care about data security, but those same professionals (vendors, VARS, merchants, etc.) also do not understand the complexity of compliance with PCISSC standards.
Therefore, RSPA, working through the Coalition of Associations for Retail Data Security (CARDS), has been encouraging the card brands to adopt a simplified validation of compliance. We believe that if PCI compliance validation is simplified, then it will be easier for industry professionals to understand it. We believe that increased understanding will lead to increased compliance.
In pursuit of the RSPA mission to provide education and advocacy to the retail technology industry, we strongly encourage retail technology providers and merchants alike to gain a better understanding of PCI by participating in the RSPA PCIwise education series. This series was developed by RSPA to ensure that both merchants and retail technology providers develop a full understanding of the best practices related to Payment Card Industry data security practices. The PCIwise education series is offered at no cost to all RSPA members and to many merchant users as well. More information about the PCIwise education series can be found here: http://www.gorspa.org/i4a/pages/index.cfm?pageid=4311.
RSPA has placed a high priority on updating the PCIwise education offerings in the coming year. We look forward to sharing more information with you about enhancements to our education series. To view our video, PCI: Are You At Risk, visit http://www.GoRSPA.org/PCI.
Retail technology providers, in particular, need to get educated and position themselves as trusted advisors to the customers they serve. At RSPA, we believe the most important message right now is that data security is extremely important to everyone in the retail technology industry.
We look hearing more from you on the topic of PCI.
With appreciation,
RSPA
Retail Solutions Providers Association
http://www.GoRSPA.org
January 10, 2013 at 1:48 pm
Here are some issues with PCI compliance that merchants and Var do not get.
1. Merchants have a pos system and the surf the internet on the same pc or the same network and are unaware of the dangers they could encounter.
2. Merchants have a choice of what ISO to do business with – If they were educated about how much it would cost if there was a BREACH – they would find and ISO who offers Breach Coverage so that if there was a Breach – they would not have to come out of pocket for $15,000 + for a PCI AUDITOR – and I have seen some breaches cost merchants $100,000 –
3. Do I agree with non PCI compliance fees? – NO – I think that some companies take advantage of merchants – in that respect –
4. It does not help that the VAR community does not instruct the merchant or at least advice the merchants on taking care of PCI – instead of telling merchants it is B.S. – Tell merchant that they need to take care of filling out SAQ’s and getting systems scanned –
5. We can only advise merchants about PCI and show them the site – show them where to fill out the SAQ – the merchant needs to do the rest – however – most of the time merchants just don’t do it.
I can understand part of that – they don’t want to deal with something that they do not fully understand – and that is part of my beef about PCI compliance – the questions for merchants who have POS are over the heads of most merchants –
I recommend – merchants fill out SAQ – Get Scans and deal with a company who offers Breach Coverage – if something happens the burden is not going to be all on the merchant -