Can We Really Trust PCI Compliance?
By The Business Solutions Network
A few weeks ago, Global Payments revealed that information from as many as 1.5 million credit cards was stolen from its systems, marking yet another data security breach in the merchant processing world. In the time since the announcement, I've spoken with a handful of both resellers and software developers and found many to be wondering what the breach might mean for them, either directly (because they partner with/sell Global Payments) or indirectly (because customers are asking how safe their processor is).
I spent all day yesterday immersed in the world of payment processing at the ETA (Electronic Transaction Association) Annual Meeting & Expo in Las Vegas and had a chance to talk payments security with many people and get answers to most of the questions I've been asked by readers over the past few weeks.
I think Steve Elefant of the Strawhecker Group, a consulting company in the payments industry, probably gives the most succinct and wise advice to VARs and ISVs when he says, "I think we all need to realize that PCI compliance does not equal security. Unfortunately today, we are dealing with very sophisticated adversaries from around the world. These are 21st century bank robbers -- organized criminal gangs -- literally patterned after the mafia, that are powered by Ph.D.-educated bad guys that have nothing to do but go after our money and our critical infrastructure. It is much like a game of 'Whack a mole' where there are millions of ways to get into our systems but the bad guys only have to find one. We keep banging the bad guy/moles back down, but they just keep popping back up and hurting us."
Elefant and others interviewed believe the Global breach will not have any significant effect on software developers who have integrated with the payments company or VARs who rep Global. In fact, there seemed to be almost a dismissal of the idea the breach would cause merchants to voice concern to their technology providers. Elefant pointed out that there are "trillions of dollars floating around in the ether every year" and that "VARs can high a high degree of confidence in processors and the payments system." I can't help but wonder if the payments industry's almost carefree take on breaches (not to minimize the triage that I'm sure Global's executive team is currently performing on the company), is due to the people involved just being way closer to the situation than we (coming from the POS reseller channel) have.
There's the old saying that where there's mystery, there's margin. Well, where there's mystery, there's also often fear. In the case of payments, it's true that many POS dealers aren't subject matter experts. Perhaps a lack of understanding the entire payments landscape are causing some to make the problem seem bigger than it is and not effectively communicate the overall safety of card processing to their merchants. All that said, everyone agrees that today's greatest security measures won't be adequate to stop tomorrow's criminal. Changes must be made to ensure rare breaches like Global's don't become more common.