Wired magazine recently released a story about a small Utah restaurant standing up to “the industry giant.” The tale of Cisero’s Ristorante and the Payment Card Industry (PCI) is a classic story of David vs. Goliath. It’s about the small shop that is standing up for itself and challenging the PCI machine; that giant that dominates the industry. Many merchants and retailers will be waiting with baited breath on the outcome of this case and the precedence it will help shape. The ruling may ultimately change the way PCI DSS is structured, and here’s why.
Fraud has always been an issue, even before credit cards were conceived; and it became an even larger issue once the proliferation of “plastic” hit the market. When identity and payment theft became a liability to payment card brands, they came together as an industry and formed a set of standards to protect themselves, PCI DSS. The policies and practices ultimately shifted the liability of bad debt (resulting from fraudulent transactions) from the card brands onto the acquiring banks (those processing the transactions). In turn, the acquiring banks enforce PCI compliance with the merchants through a system of documentation and fees. Typically, there is an annual compliance fee for participation in the program (which is not optional) or a fee/penalty for non-compliance. With the birth of these standards and corresponding programs, the payment card industry has been able better manage their own risk while continuing to move forward with their core business of issuing/promoting the use of credit.
This fundamental change in responsibility is where the story in Utah begins. Although PCI DSS attempts to transfer the burden of fraud onto merchants, according to the Wired article, it appears that there may have never been an actual agreement between the merchants and the industry. This lack of clarity surrounding the merchant/card brand relationship marks a could be a missing element for PCI DSS, and the outcome of this case may ultimately change how compliance will impact the industry in the future.
Aside from the potential flaws in the structure of agreements or structures between entities, the fact is customer card data is safer and better protected with standards in place. Regardless of who ultimately owns the risk, the intentions of protecting cardholders are intrinsically good. (Try to imagine how many fraudulent charges have been averted since the implementation of PCI DSS.) What may have started out as a policy to simply protect card brands has evolved into a set of standards that reassures cardholders and protects valuable data from fraudulent activity.
We truly hope things work out for Cisero’s Ristorante, and in the same breath, we recognize there may likely be many other merchants dealing with similar misfortunes. When the case is ultimately resolved, our hope is that the industry learns from this example, and finds even better ways of structuring programs that affect and protect the retail industry. In the meantime, for merchants the best medicine is preventative. Becoming compliant through a well structured security program is the best assurance against reducing the risk against fraud.
What thoughts do you have regarding any potential gaps in the structure and management of PCI compliance in the retail industry (be it the at the consumer, the merchant or the card brand)?