This one was a little complicated, both in subject matter, and in the fact that it was a panel of seven people, each delivering about eight minutes of presentation. It’s not an easy format to cover from my perspective, since it jumped all over the place. Also – full disclosure – I got there a few minutes late, because I was interviewing somebody in the exhibit hall.
Just to be clear, PCI and PA-DSS are the standards imposed on people (and the software and hosting providers of people) who accept credit cards by the credit card industry. There’s a July 1, 2010 deadline by which merchants have to be compliant.
Also, important note: if this affects you, it’s really something you need to go do a lot of research on. You probably already know that. But I just want to reiterate that this blog post is a small sampling of a presentation that is a drop in the bucket of issues around PCI compliance.
The presentation was useful in that it compared and compiled the perspectives of all these contributors to the ultimate goal of PCI compliance. Again, it was difficult to hone in on a unified idea, since they jumped all over the place as far as the focus of what they were saying. Overall, however, the breadth of information on compliance was definitely valuable.
I’m just going to offer some almost-bulleted points on what came up. That seems to be the most in the spirit of the session.
Qualified security assessors – I believe the delivery from the actual QSA companies on the panel were the ones that I missed. My apologies. Anyway, this I know: in order to be PCI compliant, you have to have been assessed and deemed compliant, and then recorded. A QSA (like TrustWave, represented on the panel) is the company you need to have create that record for you.
Compliance issues, and the willingness to handle that complexity, are going to separate low-margin customers from larger customers (within the realm of online retailers – or people processing payments, anyway). One of the outcomes of this is going to be that focusing on PCI and PA-DSS compliance can put you in a position to attract the higher margin customers, who are stickier customers and less likely to go out of business – that is, better customers.
According to Rick Wilson, of Miva Merchant, out of 300 shopping cart solutions, only eight of them are currently going through the process of making sure they are certified (Miva Merchant and Pinnacle Cart among them).
There is a lot of miscommunication, misinformation and lack of information out there among would-be compliant users of various credit card processing tools. Mike Auger of PinnacleCart mentioned that he and Wilson have discussed working together to help disseminate information to people who want to know how to be compliant.
Stacy Griggs from MaximumASP had an interesting point: maybe you don’t want to offer PCI compliant web hosting. It’s a lot of work, on an ongoing basis. It’s definitely something you have to commit to.
