Level 4 ApathyBy Mike Rothman
I was perusing some of my saved links from the past few weeks and came across Shimmy’s dispatch from the ETA (Electronic Transaction Association) show, which is a big conference for payment processors. As Alan summarized, here are the key takeaways from the processors:
- They view the PCI Council as not caring about Level 3 and 4 merchants. Basically a shark with no teeth.
- They don’t see smaller merchants as a big risk.
- They believe their responsibility ends when a ‘program’ is in place.
Alan uses the rest of his post to beat on the PCI scanning shylocks, who are offering services for $1 per merchant, to get their vulnerability scan checkbox and to fill out the SAQ.
But my perspective is a bit different. Right there, in the flesh, is the compliance-centric mindset. It’s not about outcomes, it’s about checking the box. And we can decide to get all upset about it, but that would be a waste of time. You see, apathy is usually a result of some kind of analysis (either conscious or unconscious). I suspect the processors have done the math and decided to focus their risk management on the places where they lose the most money – presumably the Level 1 and 2 merchants.
Now I haven’t seen the fraud reports from any of these folks, but I presume they do a bit of analysis on to where their ‘shrinkage’ occurs, and if a large portion of it was Level 3 and 4 merchants, then Mr. Market would expect them to be much more aggressive about making real security changes at that level. But they aren’t, so the only conclusion I can draw is that even though (as Alan says) 85% of the incidents take place at smaller merchants, it’s probably only a small portion of the total dollars in fraud. To be clear, I could be making that up, and/or the processors could just be crappy at understanding their risk profiles. But I don’t think so.
I think as an industry we really have to start thinking about the point of diminishing returns. Where is the line where increasing our efforts to secure small companies just doesn’t matter? You know, where the economic benefit of reduced fraud is outweighed by the cost of making those security improvements. Seems like the PCI Council is already there. Of course, the trade press will still get all aflutter about the builder or shop owner whose accounts are looted for $100K or $500K, and then they go out of business.
That’s sad, but it seems the card value chain is focused on stopping the $100M losses, and is willing to accept the $100K fraud. Predictably, the system is figuring out how to game the lower levels of the regulation, where the focus is non-existent. Though it probably pisses you off, you shouldn’t be surprised. After all, it’s just simple economics, right?
Mike, just saw this sorry. My impression is that the entire payment industry except for the card brands themselves wish that PCI would just pack up and go home. Unless they can make money off of it, it is just a waste of time to them. Sad but true
By Alan Shimel
when I really care about a supplier, I get on a plane and build a relationship (L1). If they can
PCI is a joke, not just at level 3/4.
You can spend millions on achieving PCI compliance, but as long as someone can use a $5.99 pile it high Domain Registar, with oops, has a SQL injection flaw, the whole thing is largely pointless.
PCI doesn’t really seem to acknowledge that the whole thing is ground up reliant on the security of Domain registar web portals…
(DNSSEC can’t solve this one either.)
And all to keep a bunch of numbers that _anyone_ can generate that were never designed to be kept secret!)
The real shame here is that anyone imagines that PCI exists to protect the cardholder or the merchant. Apply lessons from our own experiences… when I really care about a supplier, I get on a plane and build a relationship (L1). If they can’t make/break me, I send them a questionaire (L4). The PCI folks implemented their requirements to protect themselves, not us, thus their behaviour is predictable. The same is true for SET… it isn’t to protect you, it is to allow the transfer of liability to you.