A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

November 10, 2008 • Issue 08:11:01

Spot-on PCI programs

By Tim Cranny
Panoptic Security Inc.

There is rising pressure on ISOs to act on the Payment Card Industry (PCI) Data Security Standard (DSS), and many are struggling to put together PCI compliance and validation programs for their merchants.

Those that do put together a plan too often find themselves having trouble successfully implementing it, which is not surprising when you consider how different PCI compliance is from day-to-day business: The skills needed to put together and execute a PCI program are very different from those that normally make an ISO successful.

This article offers tips on how you, as ISOs and merchant level salespeople, can design and execute successful PCI programs.

Match the program to your portfolio

As always, be wary of experts whose advice is the same for everyone. There is no such thing as an effective one-size-fits-all solution. When evaluating expert advice, ask yourself, Is this right for my portfolio, for my merchants?

Examples of issues to consider include:

  • Scalability: Even if you have a solution that works well for individual merchants, will it be able to cope with all the merchants in your portfolio? We know of several ISOs - and not even particularly large ones - whose PCI programs were swamped within hours of going live by merchants asking for assistance and advice. No one merchant was particularly hard to deal with, but collectively, they were a tidal wave.

  • Suitability: Down at the level of individual merchants, does the program give them the sort of help that is right for them? Large, sophisticated merchants need one sort of program, but smaller merchants with fewer resources need a program built around simpler, cheaper features. Confusing the two will invariably lead to merchant dissatisfaction and an unsuccessful program.

    If you have a small portfolio of high-value merchants, think about partnering with a qualified security assessor (QSA) who can give your merchants plenty of detailed, one-on-one help, albeit at high cost per merchant.

    If you have thousands of smaller merchants in your portfolio, look for a solution that is low cost but able to deal with larger numbers. The vendors and partners you need in this situation are those with a business model built around making a few dollars from many merchants, rather than a lot of money from a few merchants.

    Solve your merchants' real problems

    It is critical that your program solve the real problems your merchants are facing, not "fake" problems. That sounds obvious, but you'd be surprised: There are vendors out there whose claim to fame is that they've put a copy of the PCI Self-Assessment Questionnaires up on the Web for your merchants to access.

    That would be great if the core problem with PCI was that all your merchants happen to be allergic to paper, but in reality the problem is that your merchants don't know what the words mean: They don't know enough about security to understand questions about firewalls and network topologies, encryption, or formal security policies.

    It really doesn't matter whether they're reading these confusing words on paper or computer screen.

    The fundamental shortage in PCI-land is expertise in security and compliance. Your merchants don't have any, so your program needs to hold their hand through the entire extended process, explaining technical terms to them, telling them how PCI works, what it all means, and which specific issues apply to them and which do not.

    The new SAQs are an improvement over the old, but we have already seen plenty of real-world evidence from our ISO partners that the problem hasn't gone away.

    This means someone, somewhere, has to be a PCI and security expert and be available to your merchants. A critical part of putting together a PCI program is either finding someone in-house to be that expert or finding a partner company that can fill that role for you. ISOs (or their partners) need to have an entire support program in place, including things like e-mail support.

    Give your merchants active assistance

    PCI is not just a passive process, and your merchants need to actually do things to either get compliant or to get validated. They will need help with these activities just as much (or more) as they do with the initial assessment phase. If you don't provide that assistance, both you and your merchants will get disappointing results and be frustrated.

    Your merchants will need help with at least the following:

    • Completion of formal documentation, including the SAQ

    • Construction of a personalized remediation plan describing how merchants will fix each of the weaknesses identified in their assessment process

    • Access to a range of remediation solutions, including hardware, software and other solutions such as customized security policies and other process-centric solutions

    Understand and track what is going on

    For everyone, particularly ISOs, PCI is going to be a drawn-out process. A critical part of a long-term, successful PCI program is the ability to look over your portfolio and make assessments. Determine what percentage of your merchants are validated, what percentage are compliant, and for those who are noncompliant, determine which sections of the standard they are failing to meet.

    Having that sort of information helps identify and control risks. It also allows you to allocate resources in a cost-effective manner.

    ISOs need to either build or get access via a partner to a solution with business analytics and reporting built in. This is going to be a challenging software development task for most ISOs and is another of the many reasons why we, at Panoptic, are seeing a trend toward ISOs resolving their challenges by partnering with PCI specialists rather than building solutions internally.

    By taking these issues into account, you can dramatically increase the odds of putting together a PCI program that protects you and your merchants and does so without becoming a burden in terms of time or money. Implementing the right programs for your clientele will help you do what is most important: focus on serving and expanding your merchant portfolio. end of article

    Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at tim.cranny@panopticsecurity.com or 801-599-3454.

    The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

    Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

    Prev Next

Current Issue

View Archives
View Flipbook

Table of Contents

New Products
A Thing