Friday, September 5, 2008

PCI SSC Show Their True Colors -- Regulate for Profit!

PCI compliance for merchants has always been costly. PABP compliance and certification for POS vendors has always been costly as well. Earlier this year, PCI DSS announced a deal with Visa to bring under PCI DSS's wing the Payment Applications Best Practices or PABP program. Now with PCI DSS taking over the PABP program, it is morphing into PA-DSS. So far, so good, no issues – same program, a different acronym – or so we thought.

In concert with this program transfer, Visa recently published a timetable forcing merchants to only use PA-DSS approved applications. This mandate included various deadlines based on different factors and 100% compliance by July 1, 2010. This means that by July 2010, every point-of-sale (POS) application that touches credit card data must be on the PA-DSS approved list. Well, now a little nervousness sets in but for the most part, no big deal – or so we thought (unless of course, you're a merchant using legacy POS applications).

Well, the other shoe dropped today when the PCI Security Standards Council notified payment application vendors that there will be an annual listing fee attached to being on the PA-DSS approved list. My company received the following notification today from PCI-DSS:

Dear Steve,

On April 15, 2008, the Payment Card Industry Security Standards Council (PCI SSC) launched the PA-DSS program (Payment Application Data Security Standard). This program was formerly under the supervision of Visa Inc. and known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, other sensitive authentication data or PIN data, and ensure their payment applications support compliance with the PCI DSS. PA-DSS requirements apply to payment applications that are sold, distributed or licensed to third parties.

Your application is currently listed on the Visa website as PABP approved. On October 1st, 2008, Visa's list will be transitioning over to the Council. Each individual application grandfathered over to the Council's list will be given an expiration date based on the version of PABP it was validated against. There will be an annual listing fee will be $1,250.00 for each application. Please see the attached chart for more information about this date. We have attached an invoice with all of your PABP applications. Please send the PA-DSS Program Manager, Nina Beardsley, an email at if you do not want all or some of your applications on the new list or if you have any further questions about this transition.


Nina Beardsley
Nina Beardsley
PA-DSS Program Manager
401 Edgewater Place, Suite 600
Wakefield, MA 01880

Attached to this notification was an invoice demanding payment by 10/1/2008 or be removed from the list. The problem here is that Visa and MasterCard have mandated that merchants only use payment applications on the approved list so paying this fee is mandatory. My feeling is that this is nothing more than an extortion letter.

Upon reading this notification, I immediately responded to PCI DSS asking for a justification of the fee. So far, no response and I really don't expect one. I also called PCI SSC directly to verify the notification because it had such a scam smell. Much to my surprise and dismay, they confirmed it was legit. Now the program I have been promoting as “good for the industry” reeks of a scam. Let's do the math:

While Visa's current PABP list may only have a few hundred approved applications (under 1000), once the various deadlines approach, the PA-DSS approved list could easily exceed ten's of thousands of applications. If you conservatively estimate 5000 applications to be on the list by 2010, that's 5000 x $1250 = $6,250,000 in annual recurring fees! For what?
  • Maintaining a list of approved applications on a spreadsheet
  • Maintaining a security document that paying members debate about what gets added and changed in the requirements
  • Moderating these member forums
  • Setting up various “for fee” events to discuss changes among the paying members
  • Publishing this PA-DSS approved list and security document on a website
This revenue does not account for the fees PCI DSS receives from training and annual certification of the QSA's and ASV's – the people required to do the security assessments and security scans. This also ignores the revenue for the PCI-PED side of the PCI DSS house where all payment terminals are certified. Hmm, if it walks like a duck, swims like a duck and quacks like a duck, it must be a cash cow!

I would not be surprised if Bob Russo and several behind-the-scenes puppet masters will be getting a significant pay hike and bonuses over the next few years. I think the card brands need to scrutinize this entire relationship and program. At best, they have created a monopoly situation. At worst, they have enabled a scam.

As you can tell from my tone, I’m ticked. I now feel I have been promoting a scam. A program I thought was good for the industry now has to be scrutinized to determine the true intentions. This is going to stifle innovation. How many small and start-up software development companies are going to be able to afford the $5-50K for a PA-DSS audit of their application? Once approved, how many will be able to afford the $1250 annual listing fee? What is going to happen with many of the open source POS projects that are starting to gain traction in the industry? Who is going to pay these fees?

I welcome your thoughts especially if you are a POS vendor.

Since the original posting, this related story was published on StoreFrontBackTalk: