A hotel operator says his point-of-sale vendor is using PCI as an excuse to force expensive upgrades to POS equipment.
A hotel operator says his point-of-sale vendor is using PCI as an excuse to force expensive upgrades to POS equipment.I've criticized the PCI security standards, which aim to protect credit card data from being stolen, because of the way "compliance" can be gamed without necessarily making card data safer.
Now comes an e-mail from a reader who says his POS vendor is taking advantage of PCI to force him into more frequent -- and thus more expensive -- equipment upgrades. The mail comes from Jake Star, VP of technology at a company that owns and operates brand-name hotels in 16 states.
I'll let Mr. Star's e-mail speak for itself, but I'd also like to know if you've experienced something similar. Conversely, if you think this is just the cost of keeping data secure and will actually help protect card data in the long run, I welcome your comments.
Here's Mr. Star's e-mail. (Note that I obtained his permission before posting this message.)
I've been a relative cynic about PCI DSS compliance, especially since it seems that the volume of exposed cardholder data has simply increased since PCI has been in place. But I'm running across a new way in which PCI is sapping our limited IT budgets.
As a merchant, I've got to ensure that the point-of-sale applications I use are PCI-certified. So I spent almost $1 Million upgrading systems last year. The POS vendor has a .X release each year, so I have a combination of systems on version 1.1 and 1.2. This year, they released 1.3.
PCI comes out with a update to their standard (PCI DSS is version 1.2 as of October). There are no significant changes in the standard that would make a previous system noncompliant, but the POS vendor still needs to certify with the new version. The POS vendor, blaming everything on PCI, says they can only certify their two most recent version (1.2 and 1.3). Voila! All my 1.1 systems are magically no longer compliant and need to be upgraded.
It is safe to assume that new a new PCI update will come out again next year. Therefore, the POS vendor has just effectively changed the lifecycle of their software from 5-7 years down to 2. Combine that with a strategy which requires you to retire older POS terminals in order to use the new version, and they now get 40% of the original system cost every two years.
The moral of the story is that when companies purchase their software, they should include a clause in the contract that requires the vendor maintain compliance with PCI for a certain period of time or offer free upgrades.
The Agile ArchiveWhen it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
2014 Analytics, BI, and Information Management SurveyITís tried for years to simplify data analytics and business intelligence efforts. Have visual analysis tools and Hadoop and NoSQL databases helped? Respondents to our 2014 InformationWeek Analytics, Business Intelligence, and Information Management Survey have a mixed outlook.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.