Merchants of all sizes love to hate PCI. In a perverse sense then, PCI can be a payment facilitator’s best friend. The more complicated, difficult and agonizing PCI guidelines become, the more merchants—especially smaller ones—will find tremendous value in pawning off the PCI duties to someone else, especially someone else—such as a PF—that knows PCI and other compliance rules intimately.
It’s for that reason that what the PCI Security Standards Council did last week is so important. Not only are they making the rules more demanding and complicated—a necessary move to boost the rules’ security—but they are now applying the rules far more broadly, implicating executives who had never before had to directly deal with PCI. Put into corporate terms, it’s one thing to infuriate a bunch of CIOs and CISOs, but it’s quite a different thing to infuriate their CFO, COO and CEO bosses as well as their bosses, namely board members. And yet that’s exactly what the council is doing.
We noted two weeks ago that PCI was getting more strict with new edicts announced last week, specifically insisting on stricter authentication procedures and new rules for third-party service providers. But when the rules finally came out, it included requirements imposed on those COOs, CFOs, CEOs and board members.
Troy Leach, the chief technology officer for the PCI Security Standards Council, pointed to a new rule, within Requirement 12, that mandates “executive management establish responsibilities for the protection of cardholder data and a PCI DSS compliance program.”
“The intent is that we at least push the visibility to the executive level,” Troy said, referring to the full text of the new guidelines. “We need for there to be different C-levels aware of compliance responsibilities.” This change will demand “some type of accountability” with those non-tech executives and corporate board members, he said.
One criticism of payments security in general, and PCI rules in particular, is that they facilitate and enable checklist security. A common CEO security approach is to add more firewalls and other perimeter security to make it harder to break in, but the problem is that thieves simply up their attacks by the same amount. Troy cited another security cliché referencing these people, which is that when security builds a higher wall, cyberthieves simply bring a taller ladder.Troy said this new rule was specifically targeting executives “who are in the ladder camp,” adding that, in a perfect world, such a rule wouldn’t be needed. “You’d like to not see this as a requirement,” he said, but corporate reality is forcing the issue.
These PCI changes are the right move for PCI. It’s doing right for merchants, it’s doing right by payments professional and it’s going right by the council’s vendor members. But it’s also doing right by PFs by making the rules more arduous and forcing more merchant executives to deal with it—or to turn it over to PFs. Interestingly, the value-adds that a PF brings to merchants is the security-appropriate way to do the exact kind of handing-off that the council objects to when done the wrong way.
The handing-off that the council is fighting is when security operational decisions are delegated without oversight, either by CEOs to CIOs or by those CIOs to their third-party providers/suppliers/partners. In both cases, the problem is not with the handoff per se, but with the handoff having no supervision. The council wants the CEO to know what security decisions are being made and why. They want the CEO to intimately understand, for example, the realworld business implications of cutting a CIO’s security budget.
The same goes for third-parties. The objection is not that IT staffs turn to others for technical and security help, nor that lines of business turn to distributions and suppliers to help with business operations. Their concern is that these people can’t delegate away their PCI responsibilities. If a partner has crappy security, you just inherited it. In the most literal way possible, their problems just became your problems.
But when merchants turn over their payments duties to PFs, they are fully getting rid of those PCI and security headaches, but it’s a good thing because the security is being placed in better—more specialized—hands.