I’m a fan of PCI. A big fan in fact. Of the standard itself, the motives that drive it, and the results it produces. In my judgment, PCI is the greatest infosec legitimizer to date, bar none. (I don’t believe it’s driven the most change, but that’s a story for another day.)

Although I’m a fan of PCI’s motives — and by that I mean the published ones — I’m no fan of the motives behind the motives. This is why I’m so happy to hear about National Retail Federation’s rebellion against PCI. It’s about time the merchants got together and got their act together.

I’ve written about all this before. While Visa and Mastercard et al. (and the banks they represent) are promoting outstanding security improvements, their real agenda is to push all consumer fraud liability downhill. There’s only a few places for it to go. Payment processors, but they also inherit a lot of PCI teflon. Merchants, who are about to start absorbing all the shock. Then there’s the consumers, who are about to start subsidizing merchants’ shock absorbers.

On one level, this is no big deal. Every business is motivated to push liability away from itself. That’s life. On another level, it is a big deal. Credit cards have existed in one form or another since around 1900 give or take a few years. If we’re going to spend a bazillion dollars in the interest of consumer privacy, why aren’t we upgrading the century-old system? There’s a killer app for Moore’s Law if there ever was one.

Merchants are wising up to the fact that they have strength in numbers. They’re just not aiming at the right target yet. Their first volley against PCI addresses their beef with needing to warehouse credit card numbers. Fact of the matter is, they don’t even need to know credit card numbers.

Ironically, the card companies knew this a long time ago, and to their credit they tried to push it. That’s what the Secure Electronic Transactions (SET) protocol was all about more than a decade ago. Banks got the card number without knowing what was purchased; merchants got the purchase order but not the card number. SET is security done right: everybody gets only what they need to know, and only a conspiracy can defeat it. Too bad it didn’t carry an ROI for the merchants back then. Give it another year.

Ok merchants: Ready … SET … Go!