Emerging Payment Technologies and Due Diligence: A Warning about “Silver Bullets”

February 09, 2015, Matt Getzelman, PCI Practice Director

2015 will be an exciting year for the payments industry, especially for merchants that now have a number of new payment technologies at their disposal.  Emerging payment technologies such as Point-to-Point-Encryption (P2PE), Tokenization, EMV/Chip and Signature and Mobile Payment Acceptance are hitting the market globally and all of them can help reduce the risk of cardholder data compromise as well as potentially impact the compliance posture of merchants that choose to adopt them.

Coalfire prides itself on working closely with all of the organization types that make up the payment industry including:

  • Merchants (retailers, e-commerce)

  • Service Providers (payment gateways, managed services)

  • Acquiring Banks / Issuing Banks

  • The Payment Card Industry Security Standards Council (PCI SSC)

  • Qualified Security Assessor (QSA) Companies

  • The Card Brands (Visa, MasterCard, American Express, Discover, JCB)

  • Payment Solution Providers

The payment card industry as a whole functions most efficiently when all participating organizations work together towards the same goal.  As these new technologies continue to evolve our understanding of them also changes.  Not only in the manner in which they can impact the overall security of an organization but also in the way an organization meets and validates compliance with the PCI Data Security Standard (PCI DSS).

A Message for the Merchants:  When performing due diligence on these technologies it is critical to ensure your organization has the most current information on the risk and compliance impact that these technologies may be able to offer --Not just information from the potential Payment Solution Provider itself, but from multiple organization types that span across the industry.  Most importantly, the Acquiring Bank(s), the PCI SSC and the Card Brands need to agree on a consensus of the compliance implications of the technologies you adopt.  Most of the Payment Solution Providers in the payments industry do a fantastic job of vetting their products and solutions across multiple organizations including Acquiring Banks and QSA companies like Coalfire Systems for two primary purposes:

  1. Having an independent and qualified third-party company test and evaluate a payment solution provides credibility in the industry.  This company can provide recommendations and guidance on the potential risk reduction benefits that the solution can afford when implemented properly.  It is important to note, however, that these recommendations and guidelines are just that, recommendations only.  Since the Card Brands and the PCI SSC are the final authority with regard to PCI DSS compliance programs, any input from third-parties, including QSAs, should never supersede or conflict with control specifications and guidance from the Card Brands or PCI SSC.  If a merchant does detect a conflict, they should seek further clarification before deploying controls that may in fact result in elevated risk to cardholder data and non-compliance. 

  2. The resulting recommendations and potential benefits are vetted with Acquiring Banks, the PCI SSC and/or Card Brands as applicable to ensure they are not at odds with any existing standard or guidance.

Coalfire has been asked to conduct a large number of technical evaluations of emerging payment technologies over the last few years.  As part of these evaluations we are often asked to provide guidance on the risk and compliance implications that these solutions could offer for merchants.  Coalfire takes great care to ensure the information we provide does not contradict the interpretations of the Acquiring Banks, the standards managed by PCI SSC or the rules and regulations set forth by the Card Brands.  Above all else, we go to great lengths to ensure our whitepapers, blogs or webinars are clear in one prevailing message:

  • The information we will provide following the technical evaluation of any payment technology has to be viewed as guidance only.  There is no guarantee a merchant’s Acquiring Bank or ultimately the PCI SSC will accept and agree with our interpretation of the risk reduction or any potential control reduction.  We will always defer to the SSC and/or the Acquiring Bank in those scenarios.

For the most part, our payment solution provider partners do a great job of ensuring this message stays visible when referencing our whitepapers and advisory work.  Unfortunately, it has recently come to our attention that there are some vendors in the industry that are either misrepresenting or misinterpreting our guidance in order to portray a perceived benefit or advantage for their specific solution beyond the original guidance.  Furthermore, some vendors are releasing this information without Coalfire’s prior knowledge or approval. These “Silver Bullet” type of sales pitches can have a negative impact on the payment card industry as a whole as they only serve to spread disinformation throughout the community. Coalfire monitors multiple types of media communications across our industry to try and prevent these ill-fated messages from reaching merchants who may be unaware of the danger. 

That’s why this message and warning is so important.  Thorough due diligence when selecting a Payment Solution Provider is critical to ensure that the message they are selling to you is in fact valid for their product(s).  Here are a few things to look for when reviewing one of these communications:

  • Do quotes or references include a link back to the original source?  Without the original source, the context can be misunderstood or misused.

  • What are the dates associated with the whitepaper or reference?  The payment industry is constantly changing and so is the interpretation of associated standards and guidance.  Using a reference that’s more than 2-3 years old may not be appropriate depending on the scenario.

  • Are there any references to PCI SSC documentation or the card Brands?  This is by no means a guarantee of accuracy but it’s typically a good sign.

  • Are quotes from internal or external sources?  External source qualifications can vary, but if all or most quotes are from someone within the same organization that is offering the solution, their objectivity may be in question.

Coalfire always encourages merchants and service providers to reach out to us (or any other QSA company), their Acquiring bank and even the PCI SSC to validate the legitimacy of the guidance they are presented before final decisions are made.  It is crucial that we all continue to work together in the payments industry towards a common goal:  reducing the overall risk of compromise.

Matt Getzelman


Matt Getzelman — PCI Practice Director

Recent Posts

Post Topics