To clarify complexities regarding Payment Card Industry (PCI) Data Security Standard (DSS) compliance, security solutions provider Trustwave and the Electronic Transactions Association hosted a webinar on Jan. 26, 2010. Entitled PCI DSS Expert Panel: Common Questions Answered, it addressed the concerns of payment professionals and merchants.
The webinar's panel of Trustwave experts included Neel Blair, Senior Information Security Consultant; Kevin Mott, Enterprise Sales Engineer; and Colin Sheppard, Incident Response Practice Manager. The colleagues offered in-depth solutions to issues pertaining to compliance, security and incident response.
A common question asked by ISOs, merchant level salespeople (MLSs) and other payment professionals is whether complying with the PCI DSS is optional. Mott said the card brands have required adherence to the PCI DSS since 2006.
"Failure to achieve and maintain PCI standards can result in noncompliance fees from the acquiring bank that are assessed on a regular basis, usually monthly," Mott said. "And the costs incurred to reverse damages in the event of a breach are significant. Additionally, there are regulatory fines and penalties, higher costs to process card transactions or even losing the ability to do so completely, and stricter compliance requirements for the merchant."
Another concern is the difficulty of interpreting the Self-Assessment Questionnaire (SAQ).
"If you're struggling with interpretation of the SAQ controls, then it might indicate possible risk," Mott said. "Merchants need assistance interpreting what is required of them as it relates to their environment. The criteria generally are fairly black and white, but it is essential to pay attention to the environment associated with those requirements."
He added that PCI DSS compliance applies to all card network members, merchants and service providers that store, process or transmit card data. Any system component included in or connected to the cardholder environment is within the scope of PCI.
Educating merchant and ISO staff on security measures can be time consuming and cost-prohibitive. Blair said the best approach is to avoid one "overarching" training program.
"Everyone does need to be trained on some level, but perhaps you want to divide the information up and think about which pieces of the standard each individual or group really needs," Blair said. He also suggested using publicly available resources rather than "trying to invent your own content."
He added that existing data loss prevention tools can "go through systems and keep track of cardholder data (that might be sitting in databases, files, spreadsheets or e-mails) and help you find out where it is. That being said, you have to know where to point your data loss prevention tool."
Many small merchants feel they cannot possibly meet PCI DSS requirements since most of them can't afford to hire security specialists. Thus, a breach is often a merchant's initial introduction to PCI.
"One thing to keep in mind with incident response is that we also deal with remediation and sealing up that hole so it doesn't happen again," Sheppard said. "There are a lot of solutions for small merchants that aren't high-dollar items. Compliance is obtainable, but we have to educate them correctly."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next