There's something that's been bugging me for a couple years now and I can't figure out what's going on. Resellers and retailers don't seem to care about PCI and EMV. Editorial pieces we produce on the topics don't get much traction on our site and in our newsletters. The headlines are compelling. The content is actionable and relevant (breaches are huge news). Yet, there's little interest.
A couple of years ago I sent a survey to both our reseller readers and retailers themselves (through our sister publication). Both audiences indicated not only little interest in PCI, but little awareness. Indeed, at the time, 30 percent of retailers didn’t know what an SAQ was. Unbelievably, 10 percent of retailers were unfamiliar with the term PCI!
"In all honesty, resellers that we encounter could care less about PCI compliance. I feel as if it is only us software companies that care. The industry is still to this day ignorant about the topic of PCI, which is unfortunate."
"The majority of our resellers do NOT care about PCI compliance. It blows me away, but it is true."
Fast forward to today. We just wrapped up another audience survey and the results are pretty interesting. While VARs indicate an interest in learning about security breaches, there's little to no interest in learning about PCI or EMV adoption in the U.S. (despite looming deadlines).
My guess is that PCI, despite its thoroughness, has proven to be inadequate at stopping breaches. The PCI Security Council will be the first to admit (to avoid being liable themselves) that their standards won't prevent all breaches. The standards can't prevent humans from canceling out some of the precautions put forth in the data security standards. Ironically, one could wedge a printed copy of the PCI standards into a data center door to prevent it from latching and locking, thus overcoming much of the security laid out in the standard itself.
Is it this perceived lack of effectiveness that is causing some solutions providers and retailers to throw their hands in the air? While I agree wholeheartedly that data and network security is important, why read another article on the topic if, no matter what you do, weaknesses can still be exploited? In speaking with solutions providers in the past, their take on PCI seems to go as far as, "the software we provide is PCI compliant. We're good." With all the other challenges facing retail IT resellers, it's probably a lot easier to think PCI is addressed through the ISV and focus on more pressing things. Myopic and wrong, but I understand.
Of course, PCI needs to exist or else data security would be appalling. Still, it's just the first step in security -- despite how thorough the standard is. PCI isn't just a thing that software developers need to concern themselves with. It isn't a destination; it's a never-ending journey. Only through the help of caring solutions providers can many retailers keep their data safe.
I plan on calling readers to hear first-hand what their thoughts are on this topic. I welcome your comments below as well.