By Tim Cranny
Panoptic Security Inc.
There is rising pressure on ISOs to act on the Payment Card Industry (PCI) Data Security Standard (DSS), and many are struggling to put together PCI compliance and validation programs for their merchants.
Those that do put together a plan too often find themselves having trouble successfully implementing it, which is not surprising when you consider how different PCI compliance is from day-to-day business: The skills needed to put together and execute a PCI program are very different from those that normally make an ISO successful.
This article offers tips on how you, as ISOs and merchant level salespeople, can design and execute successful PCI programs.
As always, be wary of experts whose advice is the same for everyone. There is no such thing as an effective one-size-fits-all solution. When evaluating expert advice, ask yourself, Is this right for my portfolio, for my merchants?
Examples of issues to consider include:
If you have a small portfolio of high-value merchants, think about partnering with a qualified security assessor (QSA) who can give your merchants plenty of detailed, one-on-one help, albeit at high cost per merchant.
If you have thousands of smaller merchants in your portfolio, look for a solution that is low cost but able to deal with larger numbers. The vendors and partners you need in this situation are those with a business model built around making a few dollars from many merchants, rather than a lot of money from a few merchants.
It is critical that your program solve the real problems your merchants are facing, not "fake" problems. That sounds obvious, but you'd be surprised: There are vendors out there whose claim to fame is that they've put a copy of the PCI Self-Assessment Questionnaires up on the Web for your merchants to access.
That would be great if the core problem with PCI was that all your merchants happen to be allergic to paper, but in reality the problem is that your merchants don't know what the words mean: They don't know enough about security to understand questions about firewalls and network topologies, encryption, or formal security policies.
It really doesn't matter whether they're reading these confusing words on paper or computer screen.
The fundamental shortage in PCI-land is expertise in security and compliance. Your merchants don't have any, so your program needs to hold their hand through the entire extended process, explaining technical terms to them, telling them how PCI works, what it all means, and which specific issues apply to them and which do not.
The new SAQs are an improvement over the old, but we have already seen plenty of real-world evidence from our ISO partners that the problem hasn't gone away.
This means someone, somewhere, has to be a PCI and security expert and be available to your merchants. A critical part of putting together a PCI program is either finding someone in-house to be that expert or finding a partner company that can fill that role for you. ISOs (or their partners) need to have an entire support program in place, including things like e-mail support.
PCI is not just a passive process, and your merchants need to actually do things to either get compliant or to get validated. They will need help with these activities just as much (or more) as they do with the initial assessment phase. If you don't provide that assistance, both you and your merchants will get disappointing results and be frustrated.
Your merchants will need help with at least the following:
For everyone, particularly ISOs, PCI is going to be a drawn-out process. A critical part of a long-term, successful PCI program is the ability to look over your portfolio and make assessments. Determine what percentage of your merchants are validated, what percentage are compliant, and for those who are noncompliant, determine which sections of the standard they are failing to meet.
Having that sort of information helps identify and control risks. It also allows you to allocate resources in a cost-effective manner.
ISOs need to either build or get access via a partner to a solution with business analytics and reporting built in. This is going to be a challenging software development task for most ISOs and is another of the many reasons why we, at Panoptic, are seeing a trend toward ISOs resolving their challenges by partnering with PCI specialists rather than building solutions internally.
By taking these issues into account, you can dramatically increase the odds of putting together a PCI program that protects you and your merchants and does so without becoming a burden in terms of time or money. Implementing the right programs for your clientele will help you do what is most important: focus on serving and expanding your merchant portfolio.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at email@example.com or 801-599-3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next