The PCI Council has been pretty influential in our lives since its inception on September 7, 2006. They were handed control of the PCI Data Security Standard and have turned it into a cascading group of standards that govern (or recommend controls) for nearly every aspect of payment acceptance and processing. So it almost seems like this PCI problem is sort of solved, doesn’t it?

Encrypted stories, by FeatheredTar

When you look at the PCI DSS ecosystem, many of the big rocks have already been addressed. This has some interesting side effects, one of which is a camp of merchants that have been hounded to get compliant (Levels 1-3) and a mass of merchants that have no clue about PCI DSS until they are breached (Level 4). Keep in mind, the number of merchants that make up the latter group is much larger than the former. For every one of those larger merchants, there are around 1,800 of the smaller ones in the US alone1. That large group of merchants which collectively does process the majority of transactions (around 65-70%) only represents ~.05% of the total merchant population in the US.

A breach at one of those larger merchants is more significant than one at a smaller merchant due to the numbers of transactions they process. But what often happens is that smaller merchants don’t know they need to comply, have never heard of PCI DSS, and end up going out of business. Sure, a breach of 5,000 cards is significant in fines to a small merchant, but to the overall ecosystem it is a blip considering that there are more than 600 million cards issued in the US alone2.

The PCI Council has recently accelerated compliance among certain groups of merchants through their Point-to-Point Encryption (P2PE) guidance, whereby some merchants have been able to remove significant portions of their infrastructure from scope. We saw at the North American Community Meeting that the Hardware Encrypt/Hardware Decrypt (HW/HW) standard is approved and manufacturers are invited to submit their terminals for testing and approval. This is great for merchants who use HW/HW terminals, but there are few Level 4 merchants who are willing to swap out terminals to be able to say they comply with this standard.

Chatuchak Market, by Martin Fischer

Some of my most enlightening consulting work in the PCI DSS space is with large franchisors—those common brands you see in small shops on every street corner that are really owned by Joe Main Street, not a giant corporation. If Joe Main Street had a windfall of $10,000 to invest in his business, he is definitely not buying new P2PE complaint hardware terminals (or compliant card readers for integrated POS, another huge problem for this community).  My experience with these merchants is that this type of equipment gets replaced when it is beyond repair. Yet, in reality, an investment like that could protect his business from closure due to a payment card breach.

So if we know that a small merchant needs assistance but is unwilling to pay thousands of dollars to get that assistance, what can we do? One thing we learned at the community meeting is that the Software Encrypt/Hardware Decrypt (SW/HW) standard has been given some ambiguous release date in 2013-2014, behind a Hardware Encrypt/Software Decrypt (HW/SW) standard that doesn’t stand to help anyone in the merchant community. The biggest thing the PCI Council can do is to prioritize the SW/HW P2PE requirements such that the 99.95% merchant community could have access to cheap, but effective, encryption routines to take huge portions of their networks out of scope.

I can hear you say, “But Branden, software encryption isn’t better than hardware encryption!” I’m not suggesting that it is. Equating hardware encryption to software encryption is an apples to oranges comparison. What I would suggest is that software encryption (easy and quick to adopt) is preferable to no encryption—essentially an apples to no apples comparison—and giving merchants an approved vehicle by which they can accomplish this can make a big difference in reducing risk. Using public-key cryptography systems, these merchants could improve their security posture by an order of magnitude using the same proven (and approved by PCI DSS) technology that protects online transactions in the browser today.

This post originally appeared on

  1. Data pulled from Quora but reasonable given market estimates. Use at your own risk. []
  2. “The Survey of Consumer Payment Choice,” Federal Reserve Bank of Boston, January 2010 []