The Green Sheet Online Edition
February 14, 2011 • Issue 11:02:01
PCI vendor selection
As compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) becomes a normal part of doing business, security solutions and products are emerging from obscurity to become business and legal necessities.
For an ISO, merchant level salesperson (MLS), bank, processor or other service provider, this means being exposed to a strange new world of techno-babble and a crowd of security vendors all competing for your attention.
But which solutions do you need? What's the right strategy for tying together all these different products? Which vendors should you work with? And where can you find assistance with this sometimes intimidating process?
Fortunately, remembering a few key ideas will help you understand more about this new world, so you can answer these questions and help ensure you are investing time and effort wisely.
QSAs and ASVs
The first step in dealing with PCI is to understand at a high level the types of solutions and services that exist. The oldest and most obvious types of PCI vendor are the Qualified Security Assessors (QSAs) and the Approved Scanning Vendors (ASVs).
QSAs are essentially consulting companies that have been trained and certified to perform detailed on-site audits. Their business model is naturally hard to scale and expensive, which makes them appropriate for large, complicated organizations. However, they are essentially irrelevant if you're trying to deal with a portfolio containing a large number of smaller merchants.
ASVs are companies that have been certified to conduct network scans of merchants' websites and applications. These scans look for software or network problems that might expose cardholder data.
While the quarterly scan requirement is critical, passing such a scan does not mean a merchant has passed PCI; it just means one of many requirements has been met. The ASV business model and execution is naturally more scalable than that of a QSA, but it is inherently less comprehensive.
Because of the constraints of their business models, neither QSAs nor ASVs can solve the needs of the average ISO, MLS or other payment professional whose portfolio contains many small merchants. QSAs and ASVs have their place, but the search for the right vendor partnerships has to extend far beyond them.
The good news is that the last thing you need to worry about is a lack of vendors and solutions; there are plenty of options to explore. An enormous security industry existed long before PCI was established. It extends far beyond PCI and comprises many hundreds of security vendors. You are in more danger of becoming confused about which one to choose than you are of being stranded without an appropriate choice.
Most of these companies offer what are called point solutions. These products address specific, narrow security requirements such as firewalls, anti-virus solutions, encryption and so on. Many of these vendors use PCI as a way to market their products.
These point solution vendors often try to give the impression that they solve all of the PCI requirements. This might be a good short-term marketing ploy, but it is completely inaccurate. The PCI requirements are so broad and cover so many different issues that they cannot be solved with any one solution, especially a purely technical product.
This is doubly true because PCI covers many soft issues around policies, procedures, training, physical security and similar concerns. This means the answer is not to look for the one, ultimate solution, but instead to build up a bench of preferred solutions, each with its own place and value, but none of which is unduly emphasized over the others.
To build up this bench of solutions requires a lot of security expertise, so each ISO needs either to be a security expert or to partner with one. Having an impartial security partner to help you navigate through the maze of acronyms and technical details makes a lot of sense, since it is dangerous and inefficient to get caught up in premature conversations about end-to-end encryption, 802.1x, IDS/IPS, and so on without the right framework to surround it.
Having a guide will help you learn about the process while receiving assistance in making the right choices.
Points to remember
Here are several things to keep in mind when assessing security vendors:
- If you have a merchant portfolio with many small merchants, keep in mind that most QSAs will be unsuitable because of high fixed costs and the types of customers they focus on.
- Small merchants, in particular, need low-cost solutions, so look for options that use technology to achieve high scalability and efficiency. For example, solutions using software-as-a-service will always be much lower cost than consulting-based solutions.
- Small merchants need assistance as a key part of any solution. Do not select a vendor who will provide the technology but expect the merchant to implement it without assistance. This can be a danger when dealing with vendors who are used to selling to, and supporting, enterprise customers.
- Be wary of any vendor with a narrow technical solution claiming to offer a silver bullet that will solve all your PCI problems. PCI is too broad for that to be possible, and this sort of marketing is a strong indicator that the vendor is dishonest. Here are good questions to ask:
- What about things like the policy and procedure requirements of PCI?
- How will my merchants even understand the questions they're being asked in the questionnaires?
- Many vendors offer point solutions to specific security problems, but there is a bewildering crowd of competing vendors and solutions out there. First, form a relationship with a trusted security advisor before getting into conversations about technical specifics.
If you have the right expertise or if you find the right security partner to handle the issues discussed herein, the technical details should fall into place fairly easily.
That means you can greatly diminish the burden and expense of PCI for you and your merchants.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at firstname.lastname@example.org or 801-599-3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.