The Green Sheet Online Edition
February 09, 2009 • Issue 09:02:01
Get the FUD out of PCI
Merchants are being unnecessarily frightened by vendors trying to lock in the idea that the Payment Card Industry (PCI) Data Security Standard (DSS) is always horribly complicated, and the only way to tackle it is to buy expensive hardware, software or services.
And misrepresentations involving PCI compliance are not just affecting merchants: They hurt ISOs, merchant level salespeople (MLSs), acquirers and others in the payments industry as well.
Too many ISOs and acquirers are taken in by talk of unavoidable complications and costs and are reacting in counterproductive ways. Some are ignoring PCI, hoping it will go away. Some are going to the other extreme: hitting their merchants with aggressive and tone-deaf requirements to the point at which some merchants are threatening to move to other acquirers or service providers.
Match method to merchant
It is true that for many merchants - particularly larger merchants - PCI is complicated. However, this need not be the case for everyone else, especially for small merchants. ISOs and MLSs can and should offer these merchants relatively simple, painless and inexpensive routes to compliance.
This article provides simple steps that can significantly lighten the burden and expense of PCI compliance. It also offers tips on how to tell when a vendor is making life more complicated than it really needs to be by spreading fear, uncertainty and doubt (FUD).
The right perspective will help ISOs and MLSs steer the proper middle course, giving each merchant the right level of service, laying out the right set of compliance and validation obligations, and, most importantly, ensuring cardholder information is protected against identity theft.
This means a one-size-fits-all strategy for dealing with merchants in a portfolio is never going to work. Some merchants are designated high-risk because of the number of transactions they handle or because they store cardholder data or are accessible over the Internet. PCI imposes a higher validation burden on these types of merchants.
It is likely such merchants need, and might even appreciate, a broad range of services. However, most merchants live in a simpler world. Imposing the same broad range of services and costs on them is hard to justify.
Doing so might help vendors and simplify the decision-making process, but it also burdens merchants with unnecessary services and gives them the impression that PCI is an expensive, complicated process that is divorced from reality.
ISOs should therefore look for a solution package that recognizes, and gracefully handles, the diversity of merchant environments. For example, only merchants who use an Internet-accessible payment application need network scans, and only they should have to pay for them.
ISOs also need to help merchants adjust operations to deal with PCI in the smartest way possible - not by running headfirst into challenges and then hopefully overcoming them, but by avoiding them altogether.
This is almost always the most secure and cost-effective way to deal with security issues; it also causes the least disruption to business. I am not talking about trying to "trick" PCI by avoiding assessments but rather passing assessments with flying colors by avoiding exposure to risks in the first place.
Ease the compliance burden
Here are ways for merchants to make PCI compliance and validation a simpler, less expensive process. Not all are relevant to every merchant, but it's a checklist that all merchants should consider:
- Use only Payment Application DSS-certified payment applications. All merchants will be required to make the switch by July 1, 2010, anyway. But merchants should do this sooner if possible: It shifts some of the security and compliance burden from merchants to payment application providers.
- Restrict the extent to which computer networks are affected by PCI. To attain PCI compliance, merchants are not automatically required to take into account every computer system and device they own, just those that:
- Store, transmit or process sensitive card-holder data
- Are directly connected to a computer that does store, transmit or process sensitive cardholder data
- Are directly connected to a computer that is directly connected to a computer that stores, transmits or processes sensitive card-holder data
Basically, one should think of being within the scope of PCI as a sort of contagion that spreads throughout the network and is only stopped by firewalls or breaks in the network.
Merchants who separate PCI issues from potentially risky activities such as surfing the Web or reading e-mail make their businesses much safer and make PCI a much simpler issue to deal with.
- Avoid wireless systems or keep wireless devices away from anything having to do with PCI. Wireless is easy to set up but not easy to set up in a safe way. PCI requires merchants to either carefully configure and manage wireless or avoid it altogether. All merchants should think seriously about avoiding wireless, since doing so is the simpler, cheaper, safer alternative.
- Do not store sensitive cardholder data in electronic form unless absolutely necessary for critical business functions (such as recurrent billing using in-house applications).
Storing this sort of data does not automatically make a merchant fail PCI, but it does expose the merchant's business to risk and makes the entire PCI-compliance process significantly more expensive and technically complicated. Each merchant needs to seriously consider whether the benefits outweigh the complications.
Many merchants already have the suggested practices in place and live in a world in which PCI compliance can be relatively simple and painless. It's critical that ISOs avoid clumsy moves that punish these merchants with unnecessary cost and confusion just because other merchants need additional expensive services.
ISOs who strike the right balance, giving "simple" merchants streamlined, low-cost solutions while offering "complicated" merchants a broad suite of affordable services, will have safer, more satisfied merchants.
So remember, every time a PCI vendor tries to use FUD to make life unnecessarily complicated and expensive for your merchants, use the points provided herein to dispel the nonsense.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at firstname.lastname@example.org or 801-599 3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.