Okay, so I am a merchant who has just received notification from my acquiring bank that I need to provide them with my compliance state for the Payment Card Data Security Standard (PCI DSS). Where do I start? My bank has pointed me to the Payment Card Industry Security Standards Committee (PCI SSC) website.
Excellent, as easy as that! I am ready to go – PCI DSS compliance here I come…
[fusion_builder_container hundred_percent="yes" overflow="visible"][fusion_builder_row][fusion_builder_column type="1_1" background_position="left top" background_color="" border_size="" border_color="" border_style="solid" spacing="yes" background_image="" background_repeat="no-repeat" padding="" margin_top="0px" margin_bottom="0px" class="" id="" animation_type="" animation_speed="0.3" animation_direction="left" hide_on_mobile="no" center_content="no" min_height="none"]
PCI DSS where do I start?
PCI DSS is a suite in the region of 349 controls that are taken from industry standards, to be applied as a ‘baseline’ against an organization's card payment processes; covering all the assets (technology, people & processes), see figure 2, which support and facilitate the payment card business operations.
[/fusion_builder_column][fusion_builder_column type="1_1" background_position="left top" background_color="" border_size="" border_color="" border_style="solid" spacing="yes" background_image="" background_repeat="no-repeat" padding="" margin_top="0px" margin_bottom="0px" class="" id="" animation_type="" animation_speed="0.3" animation_direction="left" hide_on_mobile="no" center_content="no" min_height="none"]
The complexity and difficulties present themselves - as soon as I start to try and identify what should be protected- using the PCI DSS controls, and which should not (in scope, out of scope).
Some commonly asked questions:
- What happens if I transfer the risk to another company – outsourcing the responsibility?
- What happens if I replace my payment card devices with the latest ‘state of the art’ systems? These encrypt the data at source and are deemed by the PCI SSC as being one of the 14 validated payment platform, which encrypt the payment card data at the very point of receipt.
- What if my business only uses General Packet Radio Service (GPRS) to process and transmit the payment card operations?
- There is no connection to my network and the payment card devices (i.e. PDQ, PTS, chip & pin, chip & signature, brick & mortar) - Surely, now I no longer need to worry about PCI DSS?
- What if my business process involves the receipt of payment card data, over the telephone (Mail Order, Telephone Order (MOTO), but input it directly into an approved virtual terminal environment?
- The customer’s payment card data is entered directly into the virtual terminal, provided and hosted by a 3rd party
- How about my payment card operations, where I employ the use of a payment application to receive and process the customer’s payment card data?
- What controls might apply to this type of business operation?
- What about my ecommerce site, where all the payments are processed by a 3rd party?
No storage of cardholder data
Surely, now I no longer need to worry about PCI DSS?
If only it were that easy, the criminals/hackers are too clever to allow things to be that easy. However, with the release of PCI DSS, v3.1, the PCI SSC has gone to some efforts to help identify the applicable controls aligned to a business's card payment functions, through the introduction of nine self-assessment questionnaires (A, P2PE-HW, B, C-VT, B-IP, C, A-EP, D, D-SP). These can be used to identify the applicable controls, per type of payment channel, making it easier to evaluate and submit compliance; per channel.
Actions for your PCI DSS journey
However, it is extremely important to ensure that each payment channel meets the specific criteria. Otherwise, it could well be a case of defaulting to the full weight of an Self Assessment Questionnaire (SAQ) D-M (circa 331 controls – merchant) or for a service provider, always the full weight of a SAQ D-SP (circa 349 controls). Therefore, the following actions are highly recommended for both business operations - enhancement/alignment and compliance:
• Review the SAQs from the PCI SSC website
• Review the payment channels against the criteria, from the SAQs
[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container][fusion_builder_container background_color="#e5e5e5" background_image="" background_parallax="none" parallax_speed="0.3" enable_mobile="no" background_repeat="no-repeat" background_position="left top" video_url="" video_aspect_ratio="16:9" video_webm="" video_mp4="" video_ogv="" video_preview_image="" overlay_color="" overlay_opacity="0.5" video_mute="yes" video_loop="yes" fade="no" border_size="1" border_color="#707070" border_style="solid" padding_top="10" padding_bottom="10" padding_left="5" padding_right="5" hundred_percent="no" equal_height_columns="Yes" menu_anchor="" class="" id=""][fusion_builder_row]
SAQ C-VT merchants confirm that, for this payment channel:
- Your company’s only payment processing is via a virtual payment accessed by and internet connected web browser
- Your company’s virtual payment terminal solution is provided and hosted by a PCI DSS validated third party service provider
- Your company accesses the PCI DSS compliant virtual payment terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via firewall or network segmentation to isolate the computer from other systems)
- Your company’s computer does not have software installed that causes cardholder data to be stored (for example, there is no software for batch processing or store and forward)
- Your company’s computer does not have any attached hardware devices that are used to capture or store cardholder data (for example, there are no card readers attached)
- Your company does not otherwise receive or transmit cardholder data electronically through any channels (for example, via internal network or the internet)
- Your company retains only paper reports or paper copies of receipts, and these documents are not received electronically; and
- Your company does not store cardholder data in electronic format
This SAQ is not applicable to e-commerce channels.
• Engage in the services of a reputable QSA company.
• Carry out due diligence on the appointed QSA, from that company. Investment in good advice is priceless.
Net Benefits of PCI DSS
• Effective alignment of payment channels to controls
• Effective business to PCI DSS alignment
• Reduce the complexity of PCI DSS
• Simpler and structured approach to aligning a payment channel to PCI DSS compliance – secure card payment processes
• Improved cost-effective and efficient decision making
To contact Nettitude's editor, please email firstname.lastname@example.org.