PCI DSS is complex but consultants may not be necessary
PCI DSS compliance is certainly going to be top of mind for retailers in the coming months. On Thursday July 1st Visa is tightening up its security rules on smaller companies accepting card payments. This is particularly pertinent as it was announced earlier this month that all London Olympics tickets must be purchased on a Visa card. In September, a further security mandate will require large scale card-accepting businesses to be fully PCI DSS compliant from the start of that month onwards.
Jeff LoSapio, security practice manager for Fortify, comments: “Smaller companies accepting card payments need to start thinking like larger scale companies. With cyber threats at an all time high they are increasingly a target and need to take PCI seriously.”
“The most important aspect of the PCI rules – which were introduced to protect cardholders from sloppy IT security practices in companies accepting their cards – is that companies should regard meeting the security mandate as a best practice requirement that their IT department must achieve, just as HMRC imposes best practices on payroll departments, rather than a minimum target that has to be reached,” he added.
PCI rules are becoming more complex, meaning that any company that accepts card payments should, if they have not already done so, start reviewing their IT security systems to prevent any problems further down the line.
The current (v1.2) rules, split neatly into 12 requirements, grouped into six logically related groups, which are called control objectives. The first stage in meeting these objectives is to check whether the security rules actually apply to your company, whether now or in the future.
This can be achieved by going to the PCI Security Standards Council Web site and using the many audit utilities on the portal, and, in the event of any questions, IT managers should not be afraid of asking the council for their opinion.
The site has a number of resources available to merchants and service providers, including a self-assessment questionnaire, from which companies can better understand whether their organization needs to be compliant with the progressively-evolving card security rules.
Only once you have confirmed your business requires compliance, and what deadlines are being imposed, should companies consider employing a PCI DSS consultant.
Even then understanding the difference between a QSA (qualified security assessor) and an ASV (approved scanning vendor), is another key step along the road of better PCI compliance. Coupled with the array of fact sheets on the council’s Web site, much of the process of preparing for PCI DSS compliance can be achieved before the need to employ a consultant arises.