PCI DSS. Outsourcing. Self-regulation.

How regulation opposes tide of in-house processing deployment.

Let’s ignore the payment industry for a moment; think about life outside the payment industry. Software purchasing has changed immensely. It has become much less common to sell out $50 to $150 for a CD in retail packaging. Even Microsoft, the dominant life form over our lifetimes for shaping how software is sold and distributed, has rolled out subscription based pricing with Office 365. We have now come to expect the ability to download software for free, or pay just $2.99 for an “expensive” app.

To segue the discussion back towards payments, we now expect online banking, mobile check deposits, and financial management software (e.g., mint.com) to be free as well. Sure, most of this isn’t actually free; we’re paying with our time, our willingness to be advertised to, spammed, or our contributions to anonymous data mining. But this still presents much less of an obstacle to getting new software than getting in the car to go to the store and pay $75 for a box with a CD in it.

If we dive fully back into a discussion of the payments industry, has the model moved in the same manner? Why yes or why not? Certainly, the payments industry has been impacted by the same open software principles that have impacted the retail market. Whereas not so many years ago processing platforms were running proprietary software on proprietary hardware, things are much more open now. From purely a technology perspective, you can stand up a processing platform today with off the shelf hardware, off the shelf operating systems, and software that at least leverages some open source foundations.

But there is something in the payments industry that opposes against this tide of openness and do-it-yourself technology: Regulation. If it wasn’t PCI DSS it would be something else, but today it is largely PCI DSS. The cost of doing things according to PCI DSS guidelines, documenting it all according to PCI DSS guidelines, and then paying to have a QSA audit all of it, stands against openness and diversification and going your own way. That is not to say that these things prohibit it, and it is not to say that PCI DSS’s guidelines are without merit, but it is to say that it does discourage small independents, and favors larger organizations that can absorb these costs.

Will the tide be overcome, and how? SaaS and Outsourcing doesn’t really address the issue; it just hides it behind a subscription based model. As long as banking remains a centrally controlled paradigm, it is likely that payments will continue to follow along. Things can change on the outskirts, with mobile wallets, tokenisation, PayPal and its clones, but payments at their core are likely to follow the banking industry’s path of further consolidation and regulation.