Guest Post by Chris Mark, ProPay
Chris Mark is the EVP of Data Security and Compliance for the ETA 2010 ISO of the Year, ProPay. Chris is a former MasterCard employee, founding member of the PCI SSC, former QSA and QSA Trainer. As a Visa trainer he trained over 15,000 people on PCI related topics. Chris has spoken at scores of events and published numerous articles on payment card security and the PCI DSS.
For companies that store, transmit, or process payment card data (credit or debit cards),
compliance with the Payment Card Industry Data Security Standard (PCI DSS) is mandatory.
Some of those companies must also validate compliance to meet the requirements of the card brands and banks. The PCI DSS is a set of 12 high-level requirements and approximately 220 sub-requirements. Most that have had to comply with the standard would likely agree that using the word ‘difficult’ to describe achieving compliance is an understatement. Quite frankly, achieving and maintaining compliance with the PCI DSS is an extremely challenging and expensive undertaking. Fortunately, there are ways to reduce the headache and associated cost of PCI DSS compliance.
Don’t store, transmit or process Cardholder Data.
While this may not sound feasible, many if not most, small businesses can leverage technologies that reduce or completely remove the data that is stored. As the PCI DSS only applies to the companies that store, transmit or process Cardholder Data removing such data can remove the need to comply with the requirements. Technologies such as hosted payment pages, secure payment redirects, and other technologies allow data to bypass merchant eCommerce systems. Since the transaction data never traverses the company’s own systems, the PCI DSS requirements are reduced significantly. Rather than having to comply with all 12 requirements and their sub-requirements, the company would only need to comply with requirement 12.8 (Contracts) and requirement 9 (physical security).
Minimize the Cardholder Data Environment Footprint.
If it is not possible to completely remove the data from your environment you can still realize significant benefits by reducing the Cardholder Data ‘footprint’. Retail merchants that are using only ‘standalone’ point of sale terminals that are not connected to other
systems will have a much more limited scope than merchants using more complex systems. Additionally, using Virtual Terminals may reduce the scope, as well. If more sophisticated Integrated Point of Sale (IPOS) systems are used, ensuring that the systems are adequately segmented from other systems will still limit the PCI DSS footprint. In the world of compliance, even a small savings is worth pursuing.
Technologies such as tokenization and “end to end” encryption can also be used with
great success to reduce the PCI DSS footprint or even remove systems from scope (see
Minimize Technology to the Extent Possible.
The type of technology used will have a major impact on the challenge of achieving compliance with the PCI DSS. As an example, wireless technologies, such as WiFi, present some unique challenges as WPA2 encryption must be used to protect cardholder data. Many smaller companies are currently using the outdated WEP technologies that are simply not compliant with the PCI DSS. While leading and bleeding technology is fun and helps companies appear ‘cutting edge’ they can have a real downside in terms of compliance. Carefully consider which technologies you want to employ in your cardholder data environment. Minimizing technologies such as wireless networking will reduce the headaches when pursuing compliance.
Educate Yourself on PCI DSS.
The demand for PCI DSS products and services has created a cottage industry of self-proclaimed ‘experts’. While some due possess expertise, many are less than qualified to wear the title of expert. Taking the time to educate yourself on the PCI DSS, its requirements, and techniques and technologies that can be used to aid compliance will prove invaluable. I have spoken to companies that spent over $1 million on technology that was completely unneeded, simply because they did not take the time to closely read the requirements. There is simply no replacement for individual education.
While the PCI DSS can be challenging to comply with, the tips mentioned in this post should make the process easier.
You can read more tips and tricks by visiting the ProPay Blog at:
http://blog.propay.com or registering for the monthly newsletter at the same address.