The Green Sheet Online Edition
August 11, 2008 • Issue 08:08:01
Turbo charge PCI compliance
The Payment Card Industry (PCI) Security Standards Council (SSC) has mandated that all businesses that accept plastic must be PCI Data Security Standard (DSS) compliant.
That means global corporations all the way down to mom-and-pop shops must comply with PCI DSS.
But according to Dr. Suzanne Miller, Senior Partner at TurboPCI Inc., a division of Compliance & Audit Group Inc., small businesses, which represent about 95 percent of all merchants in the United States, don't have a clue about PCI DSS.
"A, they have no concept that they need to do this, and, B, if they do, they don't understand it," Miller said.
That is where TurboPCI comes in. It is both an online service and a hardcopy workbook that leads merchants step-by-step through the PCI DSS - not only providing education about what merchants need to do to gain compliancy, but also how to do it.
"For example, one of the [PCI] requirements is that you have an inventory of all media containing cardholder data," Miller said. "So what we've said is step one, look around your business and identify every sheet of paper that has a credit card number on it.
"Determine if you have floppy discs, backup tapes, anything that could contain a credit card number.
"Now that you've identified it all, decide if you need to keep it. If you need to keep it, if it's paper, you put it in a container, mark confidential on it and then store it in a lockable closet.
"And then we have a form where they fill out that they have box 1, box 2, box 3, the date that they put it in the storage room."
Similarly, if merchants decide to destroy cardholder data, TurboPCI tells them how to go about it and how to document it.
As a Qualified Security Assessor (QSA) since 2007, TurboPCI understands the burden PCI DSS has placed on ISOs in making sure their merchants reach and maintain PCI compliance.
So TurboPCI also provides reporting features that keep ISOs and acquirers updated on which merchants are compliant and which ones aren't.
"So imagine an ISO that has 10,000 merchants and now they have 10,000 [security assessment] questionnaires sitting on their desk," Miller said. "And they're going to have to report out on all of them? I don't think that's going to happen."
TurboPCI is able to sift out the "problem" merchants so acquirers can focus their efforts on them.
Pain point mitigation
Miller's team also understands that acquirers are in "a lot of pain right now," she said, because they don't know how to get all their merchants PCI compliant. So the QSA is offering acquirers a deal.
"If we have a substantial amount of the acquirers' merchants who have signed up for TurboPCI, we provide all of the service to the acquirers at no cost," Miller said. And merchants will be charged less than $100 a year for TurboPCI.
Additionally, Miller said acquirers themselves are required to attain level 1 PCI DSS compliance, which requires a yearly security audit.
The QSA will supply that audit to acquirers free of charge, "if you give us your merchants," Miller said.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.