Written by Glynn Davis
Emerging solutions and uncertainty over the interpretation of current PCI DSS standards is leading to reluctance among major retailers to become compliant and is instead prompting them to call for greater clarity from the PCI Security Standards Council. Glynn Davis reports
Paul Rodgers, chairman at cards and payments community, Vendorcom, says: “There is some reluctance to adopt solutions when there is uncertainty about how the standards will emerge. The pressure is now on the card schemes and Security Standards Council (SSC) to clarify their position further so that retailers’ investments in PCI compliance can come to fruition quickly.”
He believes that the “rump” of retailers have so far failed to commit major investments to implementing solutions for PCI compliance because of the uncertainty over standards and have instead mainly concentrated their efforts on “assessing their risk profile and doing lots of analysis.”
But with new solutions hitting the market, Rodgers suggests there is a desire among retailers to make investments. But that there first needs to be further clarification on the standards and whether the new solutions will get the thumbs up from the PCI SSC.
Progress on this front is absolutely essential, according to the man responsible for PCI compliance at one of the UK’s largest retailers. He says: “They have to come up with answers quickly, otherwise nobody moves. It’s a problem. The changes the Council are making are good but nobody moves forward until there is more clarification, and more quickly.”
He suggests the lack of willingness by retailers to push ahead is partly a result of seeing some big name merchants having committed millions of pounds on implementing extremely complex early solutions, which now look dated against the newer, much improved solutions. “The general view from retailers is that the standards are still immature, as are the solutions, so it’s easy to be caught out and spend millions on implementations (that quickly become outdated),” he suggests.
The newer solutions to hit the market, having emerged relatively recently, are described as ‘end-to-end’ or ‘point-to-point’ solutions and are a potential game changer for large retailers that have significant store estates. Rodgers says: “there is a huge amount of interest as large areas of a retailer’s business can be taken out of scope” of PCI compliance. This involves keeping the transaction data (and most importantly the encryption keys) away from a retailer’s stores base.
The new solutions involve encrypting the transactions on the PIN pad and then taking the encrypted data straight to the retailer’s central servers, or on to the servers of an external managed-service provider in the case of many smaller merchants. The data is then sent on to the retailers’ Payment Service Provider (PSP) where it is decrypted before transmission to the relevant acquiring bank.
The key point is that this encrypted data is kept external from retailers’ stores and therefore negates the need for them to face the complexity of network segregation and the systems monitoring that is necessary for PCI compliance. In the words of an executive at a High Street outfit with hundreds of stores, the new end-to-end solutions “remove the evils of PCI compliance.”
Turned on its head
Steve Watson, responsible for PCI DSS at the Co-operative Group and chairman of the PCI DSS UK Merchants Working Group, suggests end-to-end solutions and tokenisation (where ‘tokens’ are used in retailers’ systems that point to actual encrypted transaction data held externally) have over the last 12 months “turned on its head” the PCI DSS decisions facing companies. “Any PCI DSS project should now look to reduce the scope of what is applicable - from people to processes to technology - thereby reducing costs,” he says.
Although Watson recognises the massive benefits of end-to-end solutions to retailers, he is reluctant to call it the ‘silver bullet’ as there is still much work involved in achieving PCI compliance including ensuring their hardware and payment applications are compliant.
And for multi-channel organisations like the Co-operative Group, Watson says compliance will still require work to be undertaken on the online channel and other card-not-present (CNP) environments. He also points to the issue of the extra costs for each transaction that will be incurred as a result of retailers passing encrypted data to their PSPs to process. “This works well for SMEs but for large retailers I’d recommend considering the implications carefully,” he suggests.
Robin Adams, director of security, fraud and risk management at The Logic Group, also warns that the much higher cost of the more advanced PIN pads needed for end-to-end solutions has to be considered. “The solution is not suitable for all retailers,” he suggests.
For larger retailers the purity of an end-to-end solution is also likely to be muddied by their desire to use their transaction data (for the insight it can bring) within various parts of their businesses. This can add dramatically to the complexity of the overall solution required for PCI compliance.
For many companies tokenisation is part of the answer to this situation as it allows them to hold their actual card and customer transaction data externally, which is kept out of scope, and to then use the tokens to point to the information when needed.
Such issues are unlikely to affect most tier two and tier three retailers as they typically use little customer data within their organisations compared with the likes of Tesco that uses its loyalty card data throughout its business. And unlike Tesco, these smaller merchants are also willing to have their transaction data held remotely if it is cost-effective.
Therefore, rather than pursuing an end-to-end solution Mike Bielinski, chief executive at Vodat UK, says it might be more financially beneficial for merchants to implement its thin-client solution. This removes the need to add extra processing power to the PIN pad by transferring transactions to the external servers of Vodat where they are held and processed.
He says that the solution is ideally suited to merchants that have a PDQ as it effectively replaces this device with Vodat’s PCI-compliant alternative. The effectiveness of such a solution is enhanced by the retailer’s transactions being transmitted across a PCI compliant network that is operated by Vodat.
Such a solution dramatically reduces the scope of the merchant for PCI compliance. This reduction of scope is very much at the centre of deliberations by retailers of all sizes as they re-assess their strategies to achieving PCI compliance. But what most of them are waiting for is that all important clarification on standards from the PCI SSC before they press the ‘Go’ button on their investments and push ahead with achieving full compliance.