The PCI Protection Racket - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Information Management
01:05 PM
Connect Directly

The PCI Protection Racket

A hotel operator says his point-of-sale vendor is using PCI as an excuse to force expensive upgrades to POS equipment.

A hotel operator says his point-of-sale vendor is using PCI as an excuse to force expensive upgrades to POS equipment.I've criticized the PCI security standards, which aim to protect credit card data from being stolen, because of the way "compliance" can be gamed without necessarily making card data safer.

Now comes an e-mail from a reader who says his POS vendor is taking advantage of PCI to force him into more frequent -- and thus more expensive -- equipment upgrades. The mail comes from Jake Star, VP of technology at a company that owns and operates brand-name hotels in 16 states.

I'll let Mr. Star's e-mail speak for itself, but I'd also like to know if you've experienced something similar. Conversely, if you think this is just the cost of keeping data secure and will actually help protect card data in the long run, I welcome your comments.

Here's Mr. Star's e-mail. (Note that I obtained his permission before posting this message.)

I've been a relative cynic about PCI DSS compliance, especially since it seems that the volume of exposed cardholder data has simply increased since PCI has been in place. But I'm running across a new way in which PCI is sapping our limited IT budgets. As a merchant, I've got to ensure that the point-of-sale applications I use are PCI-certified. So I spent almost $1 Million upgrading systems last year. The POS vendor has a .X release each year, so I have a combination of systems on version 1.1 and 1.2. This year, they released 1.3. PCI comes out with a update to their standard (PCI DSS is version 1.2 as of October). There are no significant changes in the standard that would make a previous system noncompliant, but the POS vendor still needs to certify with the new version. The POS vendor, blaming everything on PCI, says they can only certify their two most recent version (1.2 and 1.3). Voila! All my 1.1 systems are magically no longer compliant and need to be upgraded. It is safe to assume that new a new PCI update will come out again next year. Therefore, the POS vendor has just effectively changed the lifecycle of their software from 5-7 years down to 2. Combine that with a strategy which requires you to retire older POS terminals in order to use the new version, and they now get 40% of the original system cost every two years. The moral of the story is that when companies purchase their software, they should include a clause in the contract that requires the vendor maintain compliance with PCI for a certain period of time or offer free upgrades.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Flash Poll