In concert with this program transfer, Visa recently published a timetable forcing merchants to only use PA-DSS approved applications. This mandate included various deadlines based on different factors and 100% compliance by July 1, 2010. This means that by July 2010, every point-of-sale (POS) application that touches credit card data must be on the PA-DSS approved list. Well, now a little nervousness sets in but for the most part, no big deal – or so we thought (unless of course, you're a merchant using legacy POS applications).
Well, the other shoe dropped today when the PCI Security Standards Council notified payment application vendors that there will be an annual listing fee attached to being on the PA-DSS approved list. My company received the following notification today from PCI-DSS:
Attached to this notification was an invoice demanding payment by 10/1/2008 or be removed from the list. The problem here is that Visa and MasterCard have mandated that merchants only use payment applications on the approved list so paying this fee is mandatory. My feeling is that this is nothing more than an extortion letter.
Upon reading this notification, I immediately responded to PCI DSS asking for a justification of the fee. So far, no response and I really don't expect one. I also called PCI SSC directly to verify the notification because it had such a scam smell. Much to my surprise and dismay, they confirmed it was legit. Now the program I have been promoting as “good for the industry” reeks of a scam. Let's do the math:
While Visa's current PABP list may only have a few hundred approved applications (under 1000), once the various deadlines approach, the PA-DSS approved list could easily exceed ten's of thousands of applications. If you conservatively estimate 5000 applications to be on the list by 2010, that's 5000 x $1250 = $6,250,000 in annual recurring fees! For what?
- Maintaining a list of approved applications on a spreadsheet
- Maintaining a security document that paying members debate about what gets added and changed in the requirements
- Moderating these member forums
- Setting up various “for fee” events to discuss changes among the paying members
- Publishing this PA-DSS approved list and security document on a website
I would not be surprised if Bob Russo and several behind-the-scenes puppet masters will be getting a significant pay hike and bonuses over the next few years. I think the card brands need to scrutinize this entire relationship and program. At best, they have created a monopoly situation. At worst, they have enabled a scam.
As you can tell from my tone, I’m ticked. I now feel I have been promoting a scam. A program I thought was good for the industry now has to be scrutinized to determine the true intentions. This is going to stifle innovation. How many small and start-up software development companies are going to be able to afford the $5-50K for a PA-DSS audit of their application? Once approved, how many will be able to afford the $1250 annual listing fee? What is going to happen with many of the open source POS projects that are starting to gain traction in the industry? Who is going to pay these fees?
I welcome your thoughts especially if you are a POS vendor.