Story image

Credit Card Safety - Part 1

01 Oct 2010

Are you an SME or SP unsure of which SAQ to use to validate that CHD and SAD in the form of PAN and CVV or CID in your environment complies with the PCI DSS created by the PCI SSC?

Oh great, another bunch of IT acronyms! This is the first of three articles exploring the ‘Payment Card Industry Data Security Standard’ or PCI DSS. Unfortunately, PCI is acronym city.

The PCI DSS is a collaborative effort by the major card brands (Visa, MasterCard, Amex, Discover and JCB) to try to improve the security around the storing, processing and transmitting of cardholder data (CHD) and reduce the likelihood of credit card data theft. In just one major incident, more than 100 million card details a month were stolen (for several months).

Unfortunately, the PCI DSS is a ‘one size fits all’ security standard. This is where it hurts small business. Whether you handle many millions or just a few dozen cards per year, you have to comply with all the same security controls – and there are over 240 of them.

Compliance is binary; either you are or you aren’t. To make matters worse, achieving compliance is only the start. Once achieved, it has to be maintained 365 days a year. For small retailers, achieving and maintaining compliance can be nigh on impossible.

This may sound like a nightmare, but from a security professional’s standpoint, the PCI DSS is really a minimum security standard. It shouldn’t be that difficult to achieve. Moreover, it can help secure all personal/sensitive data that your company may hold. This may alleviate future problems if companies are forced to disclose the loss of personal data through tightening of the Privacy Act.

Chances are your bank (also known as an acquirer) may have sent you a letter telling you that you need to be PCI compliant. They may have given you a Self Assessment Questionnaire (SAQ) to fill in or a ‘Prioritised Approach’ spreadsheet to follow.

The SAQ you received is dependent on how you accept credit cards and how many you process per year. You will be required to answer between 11 and 240 questions. As the name suggests, it is where you assess your IT security against the requirements of the standard yourself.

So what are your choices? Well, other than implementing changes to achieve compliance, you can stop taking credit cards and then PCI no longer applies. Without being funny, this may be the best option for some. An alternative is to outsource the card handling to a service provider who is PCI compliant. This is quite easy to achieve if you just have a shopping cart on a web page, but PCI gets a bit tricky if you also take credit cards on a networked POS system, or over the phone, by fax and heaven forbid, by email or on a paper form.

One thing you must not do is underestimate the PCI DSS. Despite being a baseline security standard, the chances are that it is way above what you or your providers are doing today. It is also very prescriptive, so while you may take a risk-based attitude towards security, there is little room for that in the standard.

Beware anyone who claims they can sell you a ‘widget’ that will "make you PCI compliant”. If they make claims like that, then either they simply do not understand the PCI DSS, or they are taking advantage of the fear of the unknown.

Read part 2 here. is certified to provide assistance with PCI DSS compliance initiatives. Peter Locke and Roger Greyling are certified QSAs (Quality Security Assessors) capable of validating your compliance.

For more info visit

50 million tonnes of e-waste: IT faces sustainability challenges
“Through This is IT, we want to help people better understand the problem of today’s linear “take, make, dispose” thinking around IT products and its effects like e-waste, pollution and climate change."
Vocus & Vodafone unbundle NZ's fibre network
“Unbundling fibre will provide retail service providers with a flexible future-proofed platform regardless of what tomorrow brings."
IDC: A/NZ second highest APAC IoT spenders per capita
New IDC forecast expects the Internet of Things spending in Asia/Pacific excluding Japan to reach US$381.8 Billion by 2022.
Xero launches new data capture product in NZ
“Data automation is the fastest growing app category on the Xero app marketplace so we know there is a hunger for these types of tools."
Security flaw in Xiaomi electric scooters could have deadly consequences
An attacker could target a rider, and then cause the scooter to suddenly brake or accelerate.
Four ways the technology landscape will change in 2019
Until now, organisations have only spoken about innovative technologies somewhat theoretically. This has left people without a solid understanding of how they will ultimately manifest in our work and personal lives.
IDC: Top 10 trends for NZ’s digital transformation
The CDO title is declining, 40% of us will be working with bots, the Net Promoter Score will be key to success, and more.
Kiwi partner named in HubSpot’s global top five
Hype & Dexter is an Auckland-based agency that specialises in providing organisations with marketing automation solutions.