Laugh as the Sun comes, Arnett Gill

Laugh as the Sun comes, Arnett Gill

I hate to be a cynic.

OK, fine. SOMETIMES I get secret enjoyment out of being a cynic. Kind of like the enjoyment of making fun of someone in a way that they don’t know they are being made fun of. Or that satisfaction of eating candy from your kid’s Halloween stash knowing they will never miss it (unless your kid is Ms. KJ… you know who you are, you little Halloween candy auditor you…).

The NRF and others “ganged up” on PCI yesterday by sending a letter demanding easier treatment under the standard. I understand the intent, and applaud them for sending the letter across. While there may be a valid point or two buried in there, I think this is a sad day for Merchants.

I have said many times before, PCI is NOT the scariest thing out there. Savvy merchants have figured out how to win within the rules as opposed to digging their heels in like my 4 year old son when it’s time to go inside, running down the sidewalk screaming NOOOOOOOOOOOOOOO. Savvy merchants know that these rules, while a little bit broad reaching, can help them solve OTHER security issues, and help their company realize that security is much more than dealing with fraud & shrink.

These merchant associations only represent a vocal minority among their constituency. Most merchants I deal with really want to get security right, and have conceded that if it has to start with PCI, then that’s where it has to start. There are those few that fight you tooth and nail on every single requirement, pushing for a ruling that gets them the easiest pass with the fewest amount of dollars spent. Unfortunately for QSAs, they are also the most likely to be breached, and the ones that will turn on you in an instant, throwing you under the bus.

As another industry expert said (I can’t remember who to attribute it to), “It’s a scary time to be a QSA!”

Luckily for our customers, we take a partnership approach versus an audit approach. Our customers love the collaborative process that our assessment takes, and understand the value and cost of information security.

If you are a member of these associations and are unhappy with the direction they are taking, I urge you to speak out! Breaches involving PII are much more costly and dangerous to the longevity of the business, and without PCI to raise the general information security flag, your business is next!

This post originally appeared on

Possibly Related Posts: