If there is ONE person who knows a lot about credit card (and other information) security and how retailers can protect themselves from hackers stealing their data, it’s Chris Mark, EVP of Data Security and Compliance for ProPay.
Chris is a former MasterCard employee, founding member of the Payment Card Industry (PCI) Data Security Standard Council. As a Visa trainer he trained over 15,000 people on PCI related topics. Chris has spoken at scores of events and published numerous articles on payment card security and the PCI DSS.
We’ve asked him to share his insight and help you navigate the often times confusing maze of credit card compliance regulations and security.
Since around 2007, numerous banks and ISOs began charging PCI DSS “compliance fees” to merchants that required compliance with the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a set of 12 high-level requirements that apply to all organizations that store, transmit, or process payment card data. Some companies are charging fees for ‘compliance costs’ while other are charging for ‘non compliance’. Regardless of why the companies are charging, you may want to take a look at the fees. I have seen fees as high as $139 per year for “compliance costs”. This is difficult to justify and it may be worth looking at a new merchant service provider that does not charge a fee.
Some of the ‘compliance fees’ include services such as network scanning and completion of a self-assessment questionnaire (SAQ). While these are good services, and may be required to validate compliance with the PCI DSS, companies should understand the limitations of the scanning and self assessment questionnaire.
All companies that store, transmit, and/or process payment card data must comply with the PCI DSS. Some companies must also validate compliance. Merchants which accept less than 20,000 eCommerce transactions or one million total transactions per brand (Visa or MasterCard and not in aggregate) are not required by the card brands to validate compliance but may be required by their bank to validate compliance.
Compliance can be described as a ‘state of being’. Much like if you have insurance you are in compliance with the law. When asked to validate your compliance, you would show your insurance to the police officer. Completing a network scan and self assessment questionnaire is a validation mechanism but does not guarantee or assure your compliance. The trouble comes when companies complete an SAQ and have a scan and then have a data breach. Many companies mistakenly believe that because they have completed the scan and SAQ that they are assured of compliance and protection from fines. This is a dangerous mistake to make.
Completing the validation will not protect you from fines, fees or penalties associated with a data breach. After a breach, the card brands (Visa, MasteCard etc.) will often require a forensic investigation (which you will pay for). The investigation will not be focused on whether you completed a scan and questionnaire but whether your company is actually compliant. If you are found non-compliant with the PCI DSS, you may be subject to fines, fees, and penalties.
To help you navigate this often confusing maze, consider the following:
- Check to see if your acquirer is mandating that level four merchants validate compliance. There has been a growing industry of security vendors selling ‘validation’ to merchants that are not required to validate.
- If your acquirer, ISO, or processor is charging a ‘compliance fee’ you should investigate whether you want to remain a client of that company. There are a number of very good acquirers and processors that do not charge for compliance.
- If you complete a scan and self assessment questionnaire remember that it does not mean you are ‘compliant’ with the standard only that you are compliant with the requirements to validate. Ensure that you are actually applying the controls required in the PCI DSS.