In PCI: Who Really Cares?, I shared some survey data that pointed to a lack of awareness/caring/interest in the topic of PCI from certain solutions providers. Quotes from ISVs (software developers) led me to believe that they felt alone in the struggle of PCI standards compliance. Well, that article prompted an email from an ISV. Wishing to remain anonymous, the ISV told me about software competitors who were not on the list of PA-DSS validated payment applications. While he's invested hundreds of thousands of dollars certifying his software, "by some random application of standards [maybe that they are considered a ‘mobile POS’], my competitors don’t seem to be required to become PCI compliant," he grieved.
Random application of standards? Do the standards or the PCI Council leave anything up to interpretation? Why is there so much confusion or lack of awareness about who is responsible for what, and to what degree? Why do some ISVs feel like they don't have to worry about PCI?
It's all so simple, right? Software vendors get a 55 page PA-DSS document that clearly spells everything out in table after table of head-spinning detail. And what can be more clear than the 75 page tome that is the data security standard document!? (If you're wondering why you need to read the 75 pages, first check out the 61 page "Understanding the Intent of the Requirements" document).
Ok, end sarcasm. It's actually not the page after page of technical stuff that's creating a barrier. It's that, added to the fact that solutions providers aren't in the business of electronic payment security. They're in the business of helping merchants run their business more efficiently. And merchants just want to sell stuff, not deal with electronic payment security.
Should I be surprised, then, few in the retail ecosystem seem to care about PCI? Of course, I'm not talking about the Tier-1 merchants that were compelled to care.
Having written a handful of articles on this topic and fielding numerous responses from various people in the industry, it's clear that I need to get to the bottom of what's happening in the retail ecosystem as it pertains to PCI because I've been getting a whole lot of "very few seem to actually care" messages. Someone has to care. Stay tuned... ♦[hr]Have you read either the PCI DSS or the PA-DSS documents? (click one)
[dil dil = 2758]