I know I keeping harping upon PCI, but I really do believe we’re only just beginning to feel the impacts here in Australia and New Zealand (plus Asia Pacific). It’s going to get bigger! My recent post on this topic threw out a few questions and I have managed to get clarification on some of them, plus additional interesting little bits.

Keep in mind that the following is my take on things, though I reckon I am pretty close to how it is. My sources here are pretty good. Let me also re-state that I am very pro PCI DSS. We’ve never had anything like this in this region that impacts so much of the business world to this level – mandating good security controls and practices…….common sense things, I think we would all describe them as…..things that good security guys have been preaching for years …..things that generally don’t get a reaction from the business world to the levels they should until someone with authority and a big stick mandates it! Anyway, I ramble…..back to the point:

So are things clearer now? Is there a definitive message that clarifies it all for those impacted – in particular the merchants and services providers (M&SPs)? ……. Well it depends upon how you look at things.

The Visa Story

Visa maintains a softly softly approach as they have had seemingly from the outset.

Their focus has been, and will continue to be, in the short term on Tier 1 M&SPs. For Tiers 2 and 3 at present, they are focussed on awareness programs – “Hey guys…. this is important and you should get your heads around it ASAP because we’re going to expect it soon”.

There are no plans at present to levy fines on acquiring banks for non-compliance by M&SPs. (Fines that the banks can then pass through to M&SPs). The strategy is to promote compliance and its benefits while still setting deadlines.

They seem to be realistic in understanding the extent of impact upon organizations that PCI DSS compliance will have. So as long as Tier 1 M&SPs can demonstrate a commitment to compliance and a realistic roadmap (within reasonable timeframes), there won’t (at this stage), be a threat of fines for non-compliance. A slack or non-commitment by M&SPs will more than likely be met differently.

So, that means that things are pretty cool at present and companies shouldn’t worry too much? Hmmmm……….

The MasterCard Story

The Payment Card Industry is made up of other members and whilst Visa can take a position, should another member take another position on compliance, the M&SPs will be hit with the highest common denominator. (Does that make sense?)

MasterCard has the same well-intentioned end goal, but is at present taking a very different approach.

Their big focus has been on Tier 2 and 3 M&SPs becoming compliant while building awareness with the Tier 1s – taking the position that such an undertaking will/may be huge for those organizations that fall into that category and thus they need extra time.

Aside from this difference, MasterCard has also started to levy fines (to my knowledge) on the acquiring banks. The reasoning; the banks have had plenty of notice now – earlier compliance deadlines such as 30 June, 2005 have long passed….they have been more than lenient and now it’s time for action otherwise how long will this go on for?

Some Questions:

1. Why are some/many M&SPs only just being told what they need to do in regards to PCI DSS compliance?
2. Why are threats of fines already being mentioned to these guys for non-compliance with PCI DSS within relatively unrealistic deadlines ie; like months?
3. Are some M&SPs going to “pay” due to a lack of appropriate and timely action to date from some acquiring banks?
4. Who is accountable (ie; who should pay the fines) for non-compliance in such scenarios? (I know where I am swaying on that).