GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Do banking silos hinder fraud prevention?

Patti Murphy
The Takoma Group


Industry Update

Is online PIN debit more secure?

Social networking meets the POS

Illuminating the compliance highway


Research Rundown

Selling Prepaid

Prepaid in brief

Prepaid expo showcases speakers, regs

How prepaid cards assist in disaster relief

Making the case for disaster relief cards


A PIN for all reasons

Scott Henry

Merchant training:
Competitive advantage, potential game-changer

Biff Matthews
CardWare International


Street SmartsSM:
Gain traction on the red carpet

Jon Perry and Vanessa Lang

Digging into PCI - Part 8:
Assign a unique ID to each person with computer access

Tim Cranny
Panoptic Security Inc.

Clarify your brand and use it

Peggy Bekavac Olson
Strategic Marketing

Selling and giving to specialized markets

Jeffrey Shavitz
Charge Card Systems Inc.

Going alternative

Caroline Hometh

Company Profile

Vesdia Corp.

New Products

Separation of powers


Going out made easy

ATX Innovation Inc.


Make everyone your valentine



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

February 08, 2010  •  Issue 10:02:01

previous next

Illuminating the compliance highway

To clarify complexities regarding Payment Card Industry (PCI) Data Security Standard (DSS) compliance, security solutions provider Trustwave and the Electronic Transactions Association hosted a webinar on Jan. 26, 2010. Entitled PCI DSS Expert Panel: Common Questions Answered, it addressed the concerns of payment professionals and merchants.

The webinar's panel of Trustwave experts included Neel Blair, Senior Information Security Consultant; Kevin Mott, Enterprise Sales Engineer; and Colin Sheppard, Incident Response Practice Manager. The colleagues offered in-depth solutions to issues pertaining to compliance, security and incident response.

Not an option

A common question asked by ISOs, merchant level salespeople (MLSs) and other payment professionals is whether complying with the PCI DSS is optional. Mott said the card brands have required adherence to the PCI DSS since 2006.

"Failure to achieve and maintain PCI standards can result in noncompliance fees from the acquiring bank that are assessed on a regular basis, usually monthly," Mott said. "And the costs incurred to reverse damages in the event of a breach are significant. Additionally, there are regulatory fines and penalties, higher costs to process card transactions or even losing the ability to do so completely, and stricter compliance requirements for the merchant."

Make it relative

Another concern is the difficulty of interpreting the Self-Assessment Questionnaire (SAQ).

"If you're struggling with interpretation of the SAQ controls, then it might indicate possible risk," Mott said. "Merchants need assistance interpreting what is required of them as it relates to their environment. The criteria generally are fairly black and white, but it is essential to pay attention to the environment associated with those requirements."

He added that PCI DSS compliance applies to all card network members, merchants and service providers that store, process or transmit card data. Any system component included in or connected to the cardholder environment is within the scope of PCI.

Keep it simple

Educating merchant and ISO staff on security measures can be time consuming and cost-prohibitive. Blair said the best approach is to avoid one "overarching" training program.

"Everyone does need to be trained on some level, but perhaps you want to divide the information up and think about which pieces of the standard each individual or group really needs," Blair said. He also suggested using publicly available resources rather than "trying to invent your own content."

He added that existing data loss prevention tools can "go through systems and keep track of cardholder data (that might be sitting in databases, files, spreadsheets or e-mails) and help you find out where it is. That being said, you have to know where to point your data loss prevention tool."

Seal it up

Many small merchants feel they cannot possibly meet PCI DSS requirements since most of them can't afford to hire security specialists. Thus, a breach is often a merchant's initial introduction to PCI.

"One thing to keep in mind with incident response is that we also deal with remediation and sealing up that hole so it doesn't happen again," Sheppard said. "There are a lot of solutions for small merchants that aren't high-dollar items. Compliance is obtainable, but we have to educate them correctly."

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios