As VISA tightens security, experts urge businesses to take PCI DSS seriously
Security experts advise that while PCI DSS is complex, costly consultants may not be necessary
PCI DSS Compliance is certainly going to be top of mind for retailers in the coming months. On Thursday July 1st Visa is tightening up its security rules on smaller companies accepting card payments; this is particularly pertinent as it was announced earlier this month that all London Olympics tickets must be purchased on a Visa card! In September, a further security mandate will require large scale card-accepting businesses to be fully PCI DSS compliant from the start of that month onwards.
What is needed, according to Jeff LoSapio, security practice manager for application security specialists Fortify, is a change of mindset at the SME end of the market: “Smaller companies accepting card payments need to start thinking like larger scale companies. With cyber threats at an all time high they are increasingly a target and need to take PCI seriously.”
“The most important aspect of the PCI rules – which were introduced to protect cardholders from sloppy IT security practices in companies accepting their cards – is that companies should regard meeting the security mandate as a best practice requirement that their IT department must achieve, just as HMRC imposes best practices on payroll departments, rather than a minimum target that has to be reached,” he added.
LoSapio explains that the PCI rules are becoming more complex, meaning that any company that accepts card payments should, if they have not already done so, start reviewing their IT security systems to prevent any problems further down the line.
The current (v1.2) rules, he explained, split neatly into 12 requirements, grouped into six logically related groups, which are called control objectives. The first stage in meeting these objectives, says LoSapio, is to check whether the security rules actually apply to your company, whether now or in the future.
This can be achieved by going to the PCI Security Standards Council Web site and using the many audit utilities on the portal, and, in the event of any questions, IT managers should not be afraid of asking the council for their opinion.
The site, he says, has a number of resources available to merchants and service providers, including a self-assessment questionnaire, from which companies can better understand whether their organisation needs to be compliant with the progressively-evolving card security rules.
Only once you have confirmed your business requires compliance, and what deadlines are being imposed, should companies consider employing a PCI DSS consultant.
Even then, he says, understanding the difference between a QSA (qualified security assessor) and an ASV (approved scanning vendor), is another key step along the road of better PCI compliance. Coupled with the array of fact sheets on the council’s Web site, LoSapio says that much of the process of preparing for PCI DSS compliance can be achieved before the need to employ a consultant arises.
“By using the range of self-help files and questionnaires on the PCI council’s Web site, companies can save themselves a lot of expensive legwork in terms of pre-compliance procedures,” he said. The resources available on the PCI council’s Web site – as well as from the council itself – are there to help businesses improve their card data practices,” he added.
“Through adoption of a best practice approach, companies can actually save themselves money in the longer term, and may even avoid the need to hire an expensive consultant who may not actually tell their board anything extra that their IT department doesn’t know already.”
