Re-Thinking Payment Gateways

Guest Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

A surprisingly large number of major retailers today are using inhouse or outsourced payment gateways to reduce the scope of their compliance effort as well as their costs. At some point in the last decade, nearly every organization involved in electronic commerce did an evaluation of payment gateways. So, what's changed?

The answer is that the PCI requirements have changed some of the math and criteria used to evaluate payment gateways and that means it's time to revisit some of the decisions that were made prior to the increased focus on merchant and service provider security.

PCI narrows your payment gateway options. Retailers and service providers have made it clear that many of the smaller payment gateway providers simply cannot afford to implement all of the data security requirements of PCI DSS. Rather than find another line of work, some of them are avoiding the issue of security or getting compliant by "working" the system via compensating controls, "easy grader" QSAs and other questionable techniques. This means that merchants who originally viewed the gateway business as a purely price-based decision should re-think their selection of a gateway vendor. I am not saying that you should not shop on price. I am saying that you should substantially narrow the list of vendors from which you choose.

PCI compliance should not be a "checkbox" for gateways. We all know that PCI compliance lends itself to a "checkbox" approach. However, if there is any time when you want to do serious due diligence, it is when you are choosing a company that is going to handle payment processing. On many of the payment gateway Web sites, you can't even find mention of whether they are compliant.

When I've talked to some of these vendors, all I can get from most is "we're PCI compliant" or "we're on Visa's list." But it's clear that merchants considering these gateways need to focus on the specific "evidence" of compliance, and particularly the use of compensating controls. There is way too much trust being placed in these payment gateways for merchants to simply place "PCI compliance" on a spreadsheet or in a table and plug in "yes" or "no" and move on to the next item.

Maybe you should manage your own payment gateway. Many universities and diversified corporations manage their own payment gateways, and they have found it is a major improvement in reducing the scope of compliance assessments. By managing their gateway inhouse, typically working closely with their bank/card processor, they feel they are keeping control, while reducing both transaction and security management costs.

But there are some major risks with the "do it yourself" approach. In addition to fully owning all liability and breach response management, keeping up with fraud detection requires that the payment gateway owners do more than just achieve PCI compliance. Some of the payment gateways only provide basic Address Verification System (AVS) and Card Code Verification (CCV), so improving fraud detection may require software upgrades to get improved analytics, but the costs can generally be directly justified based on the money saved by reducing chargebacks.

Data security is a feature. Despite all the supposed awareness of PCI and data security in the payment community, we were surprised that when we searched for comparisons of payment gateways, virtually none of them had any focus on the security of the transactions or the overall service being provided. Therefore, it's hard to fault a merchant who chooses a payment gateway that is less than secure.

One difficult decision is deciding when to outsource payment and security services to third parties. (For those who want to explore further, the PCI Knowledge Base is working with the National Retail Federation on a study of retail PCI best practices and payment is one of the top areas we're looking at.)

I am concerned that many of the payment gateway vendors choose not to emphasize the security of customer data as a feature. I expect this will change. But, in the meantime, I certainly recommend doing a very thorough review of the specific controls that a prospective payment gateway would apply to your data and being very demanding when it comes to getting the "evidence" of compliance, particularly descriptions of any compensating controls. You'll be much happier later on, if anything should happen.

Bottom line: If you made your payment gateway decisions (insource vs. outsource; vendor selection) more than three years ago and you didn't do a thorough analysis of the security being accorded your payment data, then you need to re-think your decision now. If you'd like to argue with me, please send me an E-mail at [email protected] or visit and click Register to join the PCI Knowledge Base.