Must PCI Compliance Conflict With Customer Service?

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

I recently had a client ask: "Why is PCI making me stupid?" By that the client meant she was considering reversing a number of technology innovations her company had implemented over the last couple of years. Basically, those innovations had the unintended consequence of expanding her company's PCI scope, and the resulting cost of compliance was too much.

The issue is not unique to PCI. Innovations in retail technology happen everyday, but standards adapt to these changes much more slowly.

Every retailer lives in this situation. A mobile app works great, but it is not PCI compliant. Web orders get outsourced nicely, but processing mail order and telephone order (MOTO) transactions on a workstation either means lots of network reengineering, separate devices or lots of increased PCI scope (or all of the above). Sometimes, PCI compliance and security even seem to be at odds with each other. What is a merchant to do?

I wish I had the answers. But my conclusion is that maintaining PCI compliance can require retailers to make tradeoffs between having the latest, slickest customer experience and being compliant. Here are a few examples.

I know an E-Commerce merchant that has a small call center to handle customer service questions and process MOTO transactions. The merchant's staff used to process these payment-card purchases using their workstations, accessing the Web site just like a customer would. Unfortunately, that practice makes the workstations payment devices, and it brings the workstations and anything connected to them into PCI scope. Because the merchant wanted to keep its inventory and other systems out of PCI scope, it has started using POS terminals for processing MOTO transactions. The result is that the merchant is compliant again, but it has more back-office work reconciling the MOTO transactions with the online purchases.

From this merchant's perspective, PCI DSS made him scrap an integrated, efficient system and replace it with a two-step process that requires additional back-office work (not counting the POS terminals cluttering up the call center's desks).

The merchant could, of course, have added a second computer at each call center desk, one dedicated to processing payments and housed on a separate network segment. Both the new computers and the network segment would be in PCI scope. The POS devices, though, were cheaper, so the merchant is living with its newly dis-integrated arrangement.

Another case arose when I spoke at a conference where a university used a laptop to process payments at an offsite alumni event. Naturally, the practice raised a lot of PCI scoping questions about everything from the device to any wireless network used to process the card transactions. Another PCI expert was on the podium with me. That expert suggested that the university instead write the payment-card details on a paper form and process the transactions manually when university employees returned to their office (and, presumably, a POS device). The expert should have added that the university should hope there were neither declines nor transcription errors on those paper forms.

I have to agree that this approach simplifies PCI compliance. But it also dumbs down both the experience and the progressive, tech-savvy image the university—or any retailer—wants to project. Who would not think that Square (2011 technology) is sexier than an imprinter (a.k.a., "knuckle buster," a 1960's technology), which itself is probably sexier than pen and paper (let's go back to papyrus, say 2000 BCE)?

The biggest area where PCI is behind the curve is in mobile commerce. And, interestingly, this appears to be one case where the march of technology is unimpeded by compliance concerns.

The PCI Council has excluded mobile payment applications from its PA-DSS program for the last two years. In that time, mobile commerce has grown anyway. Ultimately, MasterCard and then Visa both published best practices for implementing mobile commerce using attached card readers (a.k.a., dongles). Both card brands recognized that using mobile devices with card readers might not be PCI compliant, but the practice was unavoidable.

So let's get back to the question of whether PCI, in the words of my client, "makes you dumb." It seems the answer is: It can, but it doesn't have to. Paper may not be sexy, but it is really difficult to hack from another continent. In some cases, PCI compliance will cause retailers and other merchants to go backward a bit in technology to minimize PCI compliance cost and effort. It's a tradeoff that seems to have a business case, and one where a merchant can make a decision based on the plusses and minuses. Blaming PCI compliance may be convenient and, in come cases, appropriate, but you still need to recognize that there are tradeoffs between security and convenience.

Maybe that's why we have QSAs—qualified security assessors—and not QCAs—qualified convenience assessors.

What do you think? I'd like to hear your thoughts. Either leave a comment or E-mail me.