payments - Retail Systems
payments - Retail Systems
payments - Retail Systems
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
you’re looking for. So, this is in a pre authentication scenario, you<br />
need the transaction to be both 3D secure and tokenised and<br />
correctly charged. So once we have this more retailers out there<br />
will find it easier to become compliant.<br />
AJ: So what you’re saying is; it’s not a lack of awareness, it’s<br />
just the tools aren’t really out there?<br />
AH: I believe the tools are not available. The technical challenges<br />
of implementing the harder PCI standard regulations are<br />
just too great. <strong>Retail</strong>ers have commercial drive and a limited<br />
amount of money to implement these kinds of technologies.<br />
The reasonable take on this would be to wait until the right tools<br />
are out there, which is dangerous in itself because it becomes<br />
too tempting to simply tick the box with your card portal and<br />
implementation plan.<br />
A SB: When we’re out speaking to merchants the thing that<br />
often strikes me is that merchants don’t understand their<br />
requirements around PCI. The biggest response we get is that<br />
they’ve taken on a solution – whether that be a standalone<br />
solution or PSP service – and as part of that the stand they’re<br />
taking on everything is that they’re compliant. There’s a lack<br />
of understanding on the retail side, they don’t understand all<br />
the requirements around PCI. Yes, there’s a self assessment<br />
questionnaire to fill in but how many retailers have actually got<br />
somebody who’s got the expertise to answer those questions<br />
and actually understand what those questions mean. In my experience<br />
very few. It is for this reason why Phoenix, as vendors,<br />
has taken it upon ourselves to help educate the smaller merchants<br />
we are working with through various trade organisations.<br />
Yes the acquirers have a responsibility to help and educate their<br />
merchants but I believe everyone in the <strong>payments</strong> chain has a<br />
duty to educate including the PCI Council and the vendors.<br />
BF: I think the biggest problem we have in our company<br />
is to get management to understand that it is a continuous<br />
job and it does take a lot of energy away the likes of the IT<br />
department, the infrastructure – because PCI is not only IT –<br />
and educating the whole business. Our top management doesn’t<br />
understand that we have to invest in that as well.<br />
CM: We’ve had quite a focus on PCI for a number of years now<br />
but we’ve only just become compliant in the US. And the UK,<br />
which is another key market for us, is the only other market<br />
where we’ve integrated solutions and at the moment we’re on a<br />
standalone piece which removes the scope to a certain degree<br />
depending on country by country and acquirer by acquirer. I<br />
think it’s more difficult for an international brand to go across<br />
the board with one solution and we’ve just have to tackle it<br />
market by market.<br />
roundtable<br />
AJ: Did you take the same approach as Alex – taking your systems<br />
out of scope of the PCI standard altogether by making<br />
sure that sensitive payment information from customers does<br />
not enter your systems?<br />
CM: We de-scoped completely, that was our whole approach;<br />
a semi integrated solution that de-scoped PCI completely.<br />
We’re very much watching the market because of the dynamic<br />
changes there are in <strong>payments</strong> solutions at the moment, that’s<br />
got a big pull in terms of our vision going forwards.<br />
CP: I always had the philosophy that if you don’t have it you<br />
don’t have to protect it. I told my merchants to keep the cards<br />
and <strong>payments</strong> area outside in e-commerce – this was way<br />
before PCI. So when PCI came along I continued the philosophy.<br />
In the five years that I did consultancy for the Post Office, from<br />
the very beginning it was – get rid of the data. The Post Office<br />
is the biggest retailer in Europe. And if the biggest retailer in<br />
Europe doesn’t need to hold card data, then no-one else does.<br />
There are 20 people who have access to data at the Post Office,<br />
because they need to have access to data for prosecution<br />
purposes. The key to it is outsourcing.<br />
JK: Just to say that the big merchants, the tier 1 merchants of<br />
the UK, don’t understand PCI is wrong. From my experience they<br />
do and the vast majority if they aren’t compliant are in the final<br />
stages of reaching compliance. Is there a problem with the small<br />
merchants? Absolutely. The main problem is that they don’t<br />
understand the language we’re talking. And it is our role, along<br />
with everybody involved in this process – acquirers, banks, card<br />
associations and brands – to try to simplify the message. If small<br />
merchants only took <strong>payments</strong> face-to-face they wouldn’t have<br />
a problem, but many small merchants are moving into e-commerce.<br />
The problem is that they’re not IT experts, they haven’t<br />
got a clue about security and they’ve walked into a minefield.<br />
AJ: So is it more of a problem for the acquirers and the banks?<br />
JK: It’s a problem for everybody, including the acquirers and<br />
schemes and banks and brands. We have to get down there and<br />
talk to the small merchants and say to them: ‘Just use a third<br />
party payment provider. It’s going to cost you £60 a month, and<br />
I know that’s a lot of money, but you’re going to save yourself a<br />
whole heap of bother.’<br />
AJ: Is the message then to outsource?<br />
RS<br />
June - July 2012 RS 33
Change language