Shakedown? Mandatory Retail Buy List To Exclude ISVs Who Refuse To Pay PCI Tribute

In what some software vendors dub a shakedown, a PCI list of compliant applications—which retailers will soon be limited to purchasing from, if they want to stay PCI compliant—is excluding software vendors who decline to pay a financial tribute to PCI.

The list is from the Payment Application Best Practices (PABP) program, and retailers will soon be forced to limit their payment-related product purchases from that list. According to Visa, as of July 1, 2010, "Acquirers must ensure their merchants, VNPs (VisaNet Processors) and agents use only PABP-compliant applications."

Although that technically does not require a retailer to use only the apps on the list, they would be required to prove that the apps they choose are compliant. Retailers could perform their own testing or force the software vendor to prove compliance. But as a practical matter, it's likely that the vast majority of retailers will simply use the already-approved applications on the list.

The list had been maintained by Visa, but it will be transitioned to a group within the Payment Card Industry Security Standards Council on October 1.

But why wait until the last minute? In late August, PCI started sending letters to already-listed application developers informing them of a change: All listings will require a $1,250 payment—per application, every year—as "a listing fee." Somehow, Visa managed to craft the list without such a fee.

Indeed, the notices were sent—with payment due immediately—more than a month before PCI even has control of the process.

One such software vendor, Shift4, has started rallying against the move on a blog run by its VP for application development.

"My feeling is that this is nothing more than an extortion letter. Upon reading this notification, I immediately responded to PCI DSS asking for a justification of the fee. So far, no response and I really don't expect one," wrote that Shift4 VP, Steve Sommers. "I also called PCI SSC directly to verify the notification because it had such a scam smell. Much to my surprise and dismay, they confirmed it was legit. Now the program I have been promoting as 'good for the industry' reeks of a scam."

That may be a bit harsh, but this does raise some troubling issues. The intent of the list is that it's as full and comprehensive a list as possible of compliant applications. What about smaller open-source vendors, whose applications might be superior to high-end applications for a much lower cost? What if they have seven or eight applications and can't afford the $10,000?

This is especially problematic because this listing fee would be atop membership fees and the costs of paying for the assessments. "I think it is going to cripple PCI," Sommers said, "because vendor support is going to drop and who pays the fee for open-source projects that are slowly gaining momentum?"

Another issue for retailers to consider about the list is what protections it truly provides. One of the promises of PCI compliance is the much sought-after retail payment data safe harbor.

But like PCI compliance itself, the protection is far from ironclad. A post-breach thorough probe by Visa, banks, the Secret Service and anyone else can easily turn up things that were missed by a cursory initial assessment. If the retailer is found to not actually be compliant—regardless of whether they were certified compliant—that safe harbor is going to be about as safe as the Sunni Triangle after dark.

The list has similar issues. A retailer using a vendor on the list who happens to be caught up in a breach will also have its apps inspected. If an application is found to not be compliant, it's unlikely that the vendor's name being on a PCI list will help much.

David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner. He questions whether the list will provide much protection at all.

"If retailers and assessors could trust this list as a 'safe harbor' so that buying from the list would free them from repercussions should they be breached, then it could be worth buying only from the list," Taylor said. "However, after discussing this with several PCI assessors, they've been told by the (Security Standards Council) and in training classes that they must do their own validation of the vendor because assessors are signing off, and there are lots of version, configuration and implementation issues that could result in a single tested version being different in a number of ways from what is implemented by the retailer. That's the software business for you."

Although neither PCI nor Visa would provide anyone to discuss this story, some anonymous discussion group postings (a minority, but some) have defended the move, saying that the fees are needed to allow the group to become financially independent from Visa.

Much of this problem might prove to be a lack of communication. It might be that the fees are justified to create the organization needed. There are 161 vendors on the list as of Aug. 31, a number that is almost certain to soar as the 2010 deadline approaches. (Some banks are demanding compliance sooner than 2010.)

It's certainly possible that the listing fees might be reduced as the number of applications increases, but PCI hasn't addressed that issue publicly. Without such information, it certainly can look like profiteering.

But the even worse perception problem is if retailers see the list as a series of advertisers and not as a comprehensive list of all compliant applications. It's not clear, though, what recourse such merchants would have if they did perceive it that way. But anything that would undermine the perceived credibility of PCI as it tries to establish its independence from Visa can't be good.