Are you an SME or SP unsure of which SAQ to use to validate that CHD and SAD in the form of PAN and CVV or CID in your environment complies with the PCI DSS created by the PCI SSC?
Oh great, another bunch of IT acronyms! This is the first of three articles exploring the ‘Payment Card Industry Data Security Standard’ or PCI DSS. Unfortunately, PCI is acronym city.
The PCI DSS is a collaborative effort by the major card brands (Visa, MasterCard, Amex, Discover and JCB) to try to improve the security around the storing, processing and transmitting of cardholder data (CHD) and reduce the likelihood of credit card data theft. In just one major incident, more than 100 million card details a month were stolen (for several months).
Unfortunately, the PCI DSS is a ‘one size fits all’ security standard. This is where it hurts small business. Whether you handle many millions or just a few dozen cards per year, you have to comply with all the same security controls – and there are over 240 of them.
Compliance is binary; either you are or you aren’t. To make matters worse, achieving compliance is only the start. Once achieved, it has to be maintained 365 days a year. For small retailers, achieving and maintaining compliance can be nigh on impossible.
This may sound like a nightmare, but from a security professional’s standpoint, the PCI DSS is really a minimum security standard. It shouldn’t be that difficult to achieve. Moreover, it can help secure all personal/sensitive data that your company may hold. This may alleviate future problems if companies are forced to disclose the loss of personal data through tightening of the Privacy Act.
Chances are your bank (also known as an acquirer) may have sent you a letter telling you that you need to be PCI compliant. They may have given you a Self Assessment Questionnaire (SAQ) to fill in or a ‘Prioritised Approach’ spreadsheet to follow.
The SAQ you received is dependent on how you accept credit cards and how many you process per year. You will be required to answer between 11 and 240 questions. As the name suggests, it is where you assess your IT security against the requirements of the standard yourself.
So what are your choices? Well, other than implementing changes to achieve compliance, you can stop taking credit cards and then PCI no longer applies. Without being funny, this may be the best option for some. An alternative is to outsource the card handling to a service provider who is PCI compliant. This is quite easy to achieve if you just have a shopping cart on a web page, but PCI gets a bit tricky if you also take credit cards on a networked POS system, or over the phone, by fax and heaven forbid, by email or on a paper form.
One thing you must not do is underestimate the PCI DSS. Despite being a baseline security standard, the chances are that it is way above what you or your providers are doing today. It is also very prescriptive, so while you may take a risk-based attitude towards security, there is little room for that in the standard.
Beware anyone who claims they can sell you a ‘widget’ that will "make you PCI compliant”. If they make claims like that, then either they simply do not understand the PCI DSS, or they are taking advantage of the fear of the unknown.
Read part 2 here.
Security-Assessment.com is certified to provide assistance with PCI DSS compliance initiatives. Peter Locke and Roger Greyling are certified QSAs (Quality Security Assessors) capable of validating your compliance.
For more info visit www.security-assessment.com