Disclaimer: CQR is a QSA company and I am a QSA. I have no special knowledge about what the
PCI council is going to do, so this is a fairly bold statement. I base my assessment on simple economics.
PCI DSS v3.0 will be released in October 2013. The only certainty is that it will have more
controls, and they will be harder to comply with, and it will be more expensive
both to implement and have audited.
Today most level 3 and 4 merchants are struggling with PCI. Next year will break some of them - some will
just fail to comply, and others will consider no longer taking credit
cards. Three years later, in October
2016, PCI DSS v4.0 will be released, and this will break the rest.
Don't get me wrong - PCI DSS is a good standard, it
serves the purpose it was designed for, and if all merchants complied with it
there would be far fewer credit card breaches.
But we need to go back to economic basics: if the cost of the control
exceeds the value of the service, then it makes no economic sense to offer the
service. Somewhere around the release of
PCI DSS v4.0 this will cross-over.
Here's my prediction for the inevitable decline: more and
more merchants will stop taking credit cards directly. PCI DSS only applies if you store, process or
transmit credit card data. So if
merchants stop doing this directly, and instead use a third party service
provider to process card data, they will no longer have a compliance
burden. Merchants will still have a cost
to bear, as the service provider will need to be compliant, but that cost can
be amortised over many more merchants, leading to the cost of the control
dropping back below the value of the service, and economic theory prevailing.
We are going to keep taking credit cards because they are
just too convenient. But the market for
PCI services is going to shrink radically, and in the end this is going to make
all of us safer.
Phil Kernick Chief Technology Officer
@philkernick www.cqr.com
Phil Kernick Chief Technology Officer
@philkernick www.cqr.com
