Commentary
The PCI Protection Racket
A hotel operator says his point-of-sale vendor is using PCI as an excuse to force expensive upgrades to POS equipment.A hotel operator says his point-of-sale vendor is using PCI as an excuse to force expensive upgrades to POS equipment.I've criticized the PCI security standards, which aim to protect credit card data from being stolen, because of the way "compliance" can be gamed without necessarily making card data safer.
Now comes an e-mail from a reader who says his POS vendor is taking advantage of PCI to force him into more frequent -- and thus more expensive -- equipment upgrades. The mail comes from Jake Star, VP of technology at a company that owns and operates brand-name hotels in 16 states.
More Software Insights
White Papers
- Creating the Enterprise-Class Tablet Environment - by Yankee Group
- Red Alert: Why Tablet Security Matters - by BlackBerry
Reports
More >>Webcasts
- Maximize ROI with Database Consolidation onto Private Clouds
- The ABC's of Cloud Computing in the Midmarket
I'll let Mr. Star's e-mail speak for itself, but I'd also like to know if you've experienced something similar. Conversely, if you think this is just the cost of keeping data secure and will actually help protect card data in the long run, I welcome your comments.
Here's Mr. Star's e-mail. (Note that I obtained his permission before posting this message.)
I've been a relative cynic about PCI DSS compliance, especially since it seems that the volume of exposed cardholder data has simply increased since PCI has been in place. But I'm running across a new way in which PCI is sapping our limited IT budgets. As a merchant, I've got to ensure that the point-of-sale applications I use are PCI-certified. So I spent almost $1 Million upgrading systems last year. The POS vendor has a .X release each year, so I have a combination of systems on version 1.1 and 1.2. This year, they released 1.3. PCI comes out with a update to their standard (PCI DSS is version 1.2 as of October). There are no significant changes in the standard that would make a previous system noncompliant, but the POS vendor still needs to certify with the new version. The POS vendor, blaming everything on PCI, says they can only certify their two most recent version (1.2 and 1.3). Voila! All my 1.1 systems are magically no longer compliant and need to be upgraded. It is safe to assume that new a new PCI update will come out again next year. Therefore, the POS vendor has just effectively changed the lifecycle of their software from 5-7 years down to 2. Combine that with a strategy which requires you to retire older POS terminals in order to use the new version, and they now get 40% of the original system cost every two years. The moral of the story is that when companies purchase their software, they should include a clause in the contract that requires the vendor maintain compliance with PCI for a certain period of time or offer free upgrades.
Related Reading
| To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy. | |
|
|
T-Shirt Giveaway: Each week we're selecting one great comment from our readers. The author of the comment will receive an InformaitonWeek Community t-shirt. So get posting! |
Subscribe to RSSResource Links
This Week's Issue
Technology Whitepapers
- Mobile BI: Actionable Intelligence for the Agile Enterprise
- How To Regain IT Control In An Increasingly Mobile World - by BlackBerry
- The BlackBerry PlayBook tablet's Good Bones - by BlackBerry
- Red Alert: Why Tablet Security Matters - by BlackBerry
- New Visual and Wizard-Driven Paradigms for Exploring Data and Developing Analytic Workflows
Featured Broadcast
This white paper explains how to create a manageable, scalable environment suited to answer real-time business needs by building out a data center on a standards-based, virtualization-aware, energy-efficient and affordable platform. Plus, learn how virtualization is making the jump from the server realm into the application, mobile and database worlds in the additional resources section.
Learn More












