PCI soothes nerves and promotes youthful vigor… good fer what ailes ye.

So, Pete Lindstrom posed an interesting question the other day:  does PCI work?

Now, the answer to this question is both simple and complicated: which is, it works for what it was built for – which may or may not have anything to do with making organizations more secure. Sound crazy? Paradoxical? Out of left field? Maybe so.

But let me ask you to reflect for a second on why PCI came out when it did. Why didn’t it, for example, come out in the eighties? It’s not because there wasn’t fraud then – remember carbon-stealing, BBS carders, and card forgers? They were are around back in the day. But PCI – or CISP when it was just VISA out in front – didn’t start until 2001. Why then and not some other time? The answer, it seems to me, speaks directly to Pete’s point about whether or not it works and also speaks to why people perceive thefts/attacks as problems with the standard.

So, for those folks who don’t remember back that far, 1996-2001 was the era of ecommerce. Everybody and their brother started offering goods for sale over the Internet. Since credit cards were the primary vehicle for online sales, this meant a tremendous number of credit card transactions.  There seemed to be no ceiliing,  and for folks whose business model gave them 2 percent of all goods sold that way?  Well that meant big, big, big bucks.

But there was a problem.  Consumers were afraid.  They didn’t want to use their credit cards on the Internet.  Studies like this one demonstrate that respondents were scared to make purchases because of perceived security risks. Articles like this one from Wired (called “Ecommerce Fears? Good Reason”) were jacking up consumers about the dangers and discouraging folks from using plastic online.

In short, the plastic folks had a marketing problem. Not a security problem, mind you. Why not? Because fraud was already built into the system. Fraud had been happening for decades – the customer wasn’t liable, the banks weren’t liable, the merchants were liable (but it was worth it to them because of the increased business they were doing.) The security of the system was fully understood. But the image problem? Well, that had people losing money… which was patently unacceptable.

What to do? Well, the technical initiatives weren’t faring so well, so what next? How about a vendor compliance program? Why not something called the “cardholder information security program”. Primary purpose: make consumers feel good about using their cards again, tap into the revenue stream held hostage by skittish online shoppers, and cut off the knees of any competitive payment vehicles that might be seeking to capitalize on the fear (Flooze, anyone?)

The real beauty of the compliance program is the subtext – which is that cards are fine from a security perspective, and instead it’s the merchant that has the security problem along along… if the dang belligerent merchants would get in line, it’d be safe again to use plastic and things would be all right with the world.

So now here we are 8 years later. SET failed. CISP is now PCI. So, ask yourself… Did it work? Damn skippy. You know how much commerce there is now? Lots. Are people scared to use their cards online? Nope. So, mission accomplished.

Now, the other question… about whether we’re more secure or not. That’s a bigger issue.