Tuesday, 16 April 2013

Decline of the PCI empire

The Payment Card Industry Data Security Standard - PCI DSS - is a standard with 255 controls that you must comply with if you store, process or transmit credit card information.  Complying with the standard is the cost of doing e-commerce today.  The cost is high, and going to get higher, and as with all monopoly empires this increase will eventually lead to its downfall.

Disclaimer: CQR is a QSA company and I am a QSA.  I have no special knowledge about what the PCI council is going to do, so this is a fairly bold statement.  I base my assessment on simple economics.

PCI DSS v3.0 will be released in October 2013.  The only certainty is that it will have more controls, and they will be harder to comply with, and it will be more expensive both to implement and have audited.  Today most level 3 and 4 merchants are struggling with PCI.  Next year will break some of them - some will just fail to comply, and others will consider no longer taking credit cards.  Three years later, in October 2016, PCI DSS v4.0 will be released, and this will break the rest.

Don't get me wrong - PCI DSS is a good standard, it serves the purpose it was designed for, and if all merchants complied with it there would be far fewer credit card breaches.  But we need to go back to economic basics: if the cost of the control exceeds the value of the service, then it makes no economic sense to offer the service.  Somewhere around the release of PCI DSS v4.0 this will cross-over.

Here's my prediction for the inevitable decline: more and more merchants will stop taking credit cards directly.  PCI DSS only applies if you store, process or transmit credit card data.  So if merchants stop doing this directly, and instead use a third party service provider to process card data, they will no longer have a compliance burden.  Merchants will still have a cost to bear, as the service provider will need to be compliant, but that cost can be amortised over many more merchants, leading to the cost of the control dropping back below the value of the service, and economic theory prevailing.

We are going to keep taking credit cards because they are just too convenient.  But the market for PCI services is going to shrink radically, and in the end this is going to make all of us safer.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com