Software // Information Management
Commentary
10/27/2008
01:05 PM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

The PCI Protection Racket

A hotel operator says his point-of-sale vendor is using PCI as an excuse to force expensive upgrades to POS equipment.

A hotel operator says his point-of-sale vendor is using PCI as an excuse to force expensive upgrades to POS equipment.I've criticized the PCI security standards, which aim to protect credit card data from being stolen, because of the way "compliance" can be gamed without necessarily making card data safer.

Now comes an e-mail from a reader who says his POS vendor is taking advantage of PCI to force him into more frequent -- and thus more expensive -- equipment upgrades. The mail comes from Jake Star, VP of technology at a company that owns and operates brand-name hotels in 16 states.

I'll let Mr. Star's e-mail speak for itself, but I'd also like to know if you've experienced something similar. Conversely, if you think this is just the cost of keeping data secure and will actually help protect card data in the long run, I welcome your comments.

Here's Mr. Star's e-mail. (Note that I obtained his permission before posting this message.)

I've been a relative cynic about PCI DSS compliance, especially since it seems that the volume of exposed cardholder data has simply increased since PCI has been in place. But I'm running across a new way in which PCI is sapping our limited IT budgets. As a merchant, I've got to ensure that the point-of-sale applications I use are PCI-certified. So I spent almost $1 Million upgrading systems last year. The POS vendor has a .X release each year, so I have a combination of systems on version 1.1 and 1.2. This year, they released 1.3. PCI comes out with a update to their standard (PCI DSS is version 1.2 as of October). There are no significant changes in the standard that would make a previous system noncompliant, but the POS vendor still needs to certify with the new version. The POS vendor, blaming everything on PCI, says they can only certify their two most recent version (1.2 and 1.3). Voila! All my 1.1 systems are magically no longer compliant and need to be upgraded. It is safe to assume that new a new PCI update will come out again next year. Therefore, the POS vendor has just effectively changed the lifecycle of their software from 5-7 years down to 2. Combine that with a strategy which requires you to retire older POS terminals in order to use the new version, and they now get 40% of the original system cost every two years. The moral of the story is that when companies purchase their software, they should include a clause in the contract that requires the vendor maintain compliance with PCI for a certain period of time or offer free upgrades.

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.