The Green Sheet Online Edition
May 14, 2007 • Issue 07:05:01
PCI priority: No agent left behind
AmbironTrustWave investigated approximately 200 payment card compromises recently. We learned that in 57% of instances studied, reliance on third-party products or services may have exposed merchants or service provider systems to cardholder data theft.
Additionally, we found that flawed software-based payment applications may have contributed to 72% of compromises.
As the card Associations continue to educate the industry on the importance of data security, they preach caution and due diligence to merchants, especially in regard to working with third-party vendors.
In addition, acquiring banks have begun reaching out to smaller merchants about data security. As merchants become more aware of the issues, their demand for products and services that sustain compliance with the Payment Card Industry (PCI) Data Security Standard will increase.
Become a PCI expert
As an ISO or merchant level salesperson (MLS), you need to understand PCI to ensure the security of your business, protect yourself should your customer data be breached and differentiate your company in a crowded marketplace.
The primary objective of PCI is to prevent the exposure of cardholder data to unauthorized parties such as hackers seeking credit card information for fraudulent purposes. PCI consists of 12 requirements and multiple subrequirements to guide the building and maintenance of secure payment card networks.
Each card brand (American Express Co., Discover Financial Services LLC, JCB International Co. Ltd., MasterCard Worldwide and Visa U.S.A.) demands that any entity processing, storing or transmitting cardholder information comply with all PCI requirements.
While PCI is an industry-accepted, global standard for protecting cardholder data, each card brand oversees its own enforcement of compliance with the standard. They issue separate penalties for noncompliance and events in which payment card data is compromised.
Given the ubiquity of payment card processing technology and services (evidenced in part by the spread of free equipment offers advertised in industry publications) PCI offers you an opportunity to distinguish yourself.
As the statistics from the Ambiron study illustrate, third parties involved in payment card acceptance services sometimes lack basic understanding of data security. If you can offer guidance to merchants in meeting PCI requirements, you will set your business apart.
Showing your concern for the security of your customers' payment card environments will strengthen existing relationships and lead to new business.
Evaluate your offerings
The first step in building a reputation as a resource for PCI information is ensuring that your offerings support PCI compliance. Otherwise you risk running afoul of the best data security practices you intend to preach. Begin by answering the following questions:
- Do the payment card processing services you provide come from providers listed on Visa's list of PCI-adherent service providers?
- Do the payment card applications bundled with your POS terminals not store track data?
- Do these payment applications adhere to Visa's Payment Application Best Practices (PABP)?
- Are the versions and subversions of the payment applications you sell listed on Visa's list of PABP-adherent applications?
- Do the integrators of your card acceptance solutions install them at merchant sites in a PCI-compliant manner?
Visa's PABP, similar in nature to PCI, guides software developers in creating secure payment applications. PABP-adherent applications are noted on Visa's list of validated payment applications, located at www.visa.com/cisp. They support merchants' efforts in complying with PCI and securing cardholder information.
In addition to using PABP-adherent payment applications and securing their payment card environments (as required by PCI), merchants must use service providers from Visa's list of compliant service providers. This list is also located at www.visa.com/cisp.
Visa defines a service provider as any organization that "enable[s] payment transactions (e.g., authorization or settlement) between merchants and processors."
Should one of your customers experience a compromise, your liability, of course, depends on your contract with that merchant.
By offering solutions that support PCI compliance, you can demonstrate due diligence and avoid being held liable for penalties and fines that a compromised entity may attempt to pass on to you. But more importantly, offering PCI-compliant and PABP-adherent solutions bolsters your credibility as a data security resource for your customers.
Complying with PCI requires more than choosing secure payment applications and Visa-validated processing services. Future articles in this series will cover additional PCI-related considerations, including how to discuss PCI with merchants and resources for helping your clients get started on the path toward a secure payment card environment.
Michael Petitti is Senior Vice President of Marketing for AmbironTrustWave and is responsible for all of the company's marketing initiatives. Michael serves on the Electronic Transactions Association's Strategic Leadership Networking Forum Program Planning Committee. Call him at 312-873-7291, or e-mail him at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.