Most Retailers Are Not Yet Ready To Outsource PCI

Guest Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

Outsourcing is considered the thing to do these days, like a summer barbecue. But it's both easier and more complex than most merchants think.

The first move has to be to take a serious look at your data. Think of it like a residential move. How much of that accumulated stuff do you really need anymore? How much are you honestly going to be leveraging and using? The less you keep, the less you have to protect and manage. And the less you keep, the easier it will be to outsource.

Even if you triage your data and keep only a small amount, don't get too trusting. Outsourcing can be a great way to get Visa and others off your back, but if you remove the data from your system and give it to someone else, you can't just pretend that it's being protected.

Let's be bold about this: Payment outsourcing will be the top trend among retailers and other merchants in 2009 and 2010, in terms of adoption, spending levels and impact on how these merchants manage their payment process.

We've conducted over 160 hours of interviews for the PCI Knowledge Base, and many of these interviews have been conducted with retailers. Although outsourcing is rare among the largest merchants, it's becoming very popular among SMEs. In terms of making PCI scalable, it's becoming pretty obvious that the only way to get the bulk of the retail community to be PCI compliant is if they outsource payment processing to third parties.

The leading edge of this trend is in higher education. Most major universities have managed to get their on-campus Level 4 merchants to be compliant by relying on a (primarily) outsourced payment gateway service and removing all card data from university applications, files and databases. Most have managed to complete this process in less than 12 months. In fact, I would wager that no place on the planet has as large concentrations of PCI-compliant Level 4 merchants as can be found on the campuses of American universities.

The key to this is the willingness to outsource the process and working with the campus merchants and departments to convince them to live without the card data. Retailers tell me every day that they simply cannot outsource payment processing entirely, because the data is built into too many applications and business processes. On the other hand, the largest retailers are telling me that their average spending on PCI in year one is well north of $1 million, heading for $2 million. That's enough incentive to take a hard look at outsourcing (particularly if you haven't yet spent the $2 million, because you're hoping PCI will go away or magically become easier).

But wait! Isn't payment outsourcing bizarrely expensive? The answer is "yes" in some cases, and getting that monthly bill for having someone else do something that you already have staff in place to do is the other half of the "push me pull you" argument. It's all in how PCI is paid for and who is running it. If PCI is being run out of the IT department as a "security project," then the issue of outsourcing may never even be discussed. But if it's being run out of the CFO's office under a Compliance Office or Internal Audit, then outsourcing should be on the agenda for a meeting this year, because the CFO is in the best position to weigh the pros and cons of the issue.

Why should you trust a service provider more than your own people? You shouldn't. In fact, the real downside of outsourcing is the "out of sight, out of mind" problem. Probably 90 percent of the merchants have no due diligence process in place with their service providers to make sure that, day-by-day, their data is being protected as well, or better, than if they themselves were doing the job. Without regular reporting and inspection, the risk of payment outsourcing is actually pretty high. To win business, payment service providers will have to focus more on what I'd call "continuous compliance reporting," so that retailers won't have to wonder what's going on with all that data they entrusted to the service provider.

Are service providers fully PCI compliant? This question is tough, and worth asking each and every service provider you deal with. Most service providers are not capable of being PCI compliant "as a company" because of how data for multiple customers is stored together on servers, how access is managed, etc. However, service providers can (and do) provide a "PCI-compliant environment" for Customer X or Customer Y, which has proven to be acceptable to the card brands, acquirers and QSAs.

The bottom line is that retailers must recognize that they still cannot outsource liability, and they must take more responsibility for service provider due diligence, whether they fully outsource payment processing or not. By the way, it's worth noting that being an IT or payment service provider is probably the most difficult task in all of PCI Land, because of the "converging compliance conundrum," but we'll address that in a future column.

If you're a retailer, we want to get you involved in the best practices study we're doing for the National Retail Federation. If you'd like to participate, send me an E-mail at [email protected]