August 6, 2009
The last few years have seen a great deal of discussion, arguing, hand-wringing, and posturing within the retail / hospitality community regarding the PCI DSS. It has also driven a lot of investment in technology–and a lot of investment by technology companies.
Then PA-DSS came along. The PCI Council took a voluntary program (PABP) and turned it into a robust, mandatory security standard, the impact of which is still being absorbed by software vendors that provide solutions to retail and hospitality merchants. Again, there was much hand-wringing, posturing, and general frustration (this time from the vendors.)
The remarkable thing to me is the degree to which, until very recently, this consternation over PCI and its applicability and requirements has largely been isolated to the retail / hospitality community. Slowly, the rest of the business world is waking up to the fact that PCI reaches far beyond retail. Electronic currency (i.e., debit and credit) is not a payment mechanism isolated to any one vertical; instead, it’s increasingly used by consumers in all aspects of their spending.
This realization ’process’ looks an awful lot like the classic grieving process–denial, anger, bargaining, depression, and finally, acceptance–and is the same process that the retail community has gone through for the last five years (for L1 & L2 merchants I think we’ve pretty much gotten to the acceptance stage). A lot of hospitals, higher education organizations, healthcare technology firms, and the like are really just beginning this process – denial is still a big part of the conversations that we have with these organizations.
Now, this is certainly not a universal situation. NetSPI is working with some very forward-thinking, security-focused organizations on PCI and related security initiatives, but it’s common enough to note and it’s where we spend a lot of time working to educate the broader community. Luckily, we have a lot of experience with these other industries and can help our clients work through this process with more than just a retail/hospitality perspective.
The fact that other standards are also applicable in some instances may be causing some of the difficulty in accepting the fact that PCI is important and applies. HIPAA, for example, has security requirements to protect personal health information. I have had numerous conversations about PCI with companies in healthcare that have sounded something like “I have to adhere to the HIPAA security standards, so I’m covered.” Actually, if you take credit card payments, and you are just worrying about HIPAA’s security requirements, you have a serious problem.
Anyone that takes or manages electronic payments–healthcare providers, lawn care companies, hospitals, insurance companies, doctor’s offices, accounting firms, tax preparation services, plumbers, event scheduling services, etc, etc, etc, etc.–is subject to PCI’s requirements. The software vendors that service and support all of these industries and handle PCI-relevant information within their solution are also subject to PCI’s requirements (via PA-DSS).
So my advice – learn to accept PCI and take the steps today that will help make compliance more efficient and improve overall security. Find a partner that is focused on PCI guidance, not just auditing. Make sure that they understand your industry, ask good questions that go beyond the scope of compliance, and give you honest feedback.
If you accept electronic payments, PCI applies to you. If you are in denial, you need to move through your grieving process quickly so that you can make critical decisions and take the actions required to protect your organization and minimize risk.