Software // Information Management
01:05 PM
Connect Directly
Risk Data as a Strategy
Apr 06, 2016
There is a renewed focus on risk data aggregation and reporting (RDAR) solutions, as financial ins ...Read More>>

The PCI Protection Racket

A hotel operator says his point-of-sale vendor is using PCI as an excuse to force expensive upgrades to POS equipment.

A hotel operator says his point-of-sale vendor is using PCI as an excuse to force expensive upgrades to POS equipment.I've criticized the PCI security standards, which aim to protect credit card data from being stolen, because of the way "compliance" can be gamed without necessarily making card data safer.

Now comes an e-mail from a reader who says his POS vendor is taking advantage of PCI to force him into more frequent -- and thus more expensive -- equipment upgrades. The mail comes from Jake Star, VP of technology at a company that owns and operates brand-name hotels in 16 states.

I'll let Mr. Star's e-mail speak for itself, but I'd also like to know if you've experienced something similar. Conversely, if you think this is just the cost of keeping data secure and will actually help protect card data in the long run, I welcome your comments.

Here's Mr. Star's e-mail. (Note that I obtained his permission before posting this message.)

I've been a relative cynic about PCI DSS compliance, especially since it seems that the volume of exposed cardholder data has simply increased since PCI has been in place. But I'm running across a new way in which PCI is sapping our limited IT budgets. As a merchant, I've got to ensure that the point-of-sale applications I use are PCI-certified. So I spent almost $1 Million upgrading systems last year. The POS vendor has a .X release each year, so I have a combination of systems on version 1.1 and 1.2. This year, they released 1.3. PCI comes out with a update to their standard (PCI DSS is version 1.2 as of October). There are no significant changes in the standard that would make a previous system noncompliant, but the POS vendor still needs to certify with the new version. The POS vendor, blaming everything on PCI, says they can only certify their two most recent version (1.2 and 1.3). Voila! All my 1.1 systems are magically no longer compliant and need to be upgraded. It is safe to assume that new a new PCI update will come out again next year. Therefore, the POS vendor has just effectively changed the lifecycle of their software from 5-7 years down to 2. Combine that with a strategy which requires you to retire older POS terminals in order to use the new version, and they now get 40% of the original system cost every two years. The moral of the story is that when companies purchase their software, they should include a clause in the contract that requires the vendor maintain compliance with PCI for a certain period of time or offer free upgrades.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
2016 InformationWeek Elite 100
Our 28th annual ranking of the leading US users of business technology.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of April 24, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week!
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.