Does PCI Apply to me? Store Process Transmit

Lots of people ask this, so it must be time to blog it.  “Does PCI apply to my company?”  Ask yourself three simple questions, do you:

  • STORE Credit Card data.
    There is no reason to extoll the virtues of ensuring that if someone stores your data, you want it to be done safely.
  • PROCESS Credit Card data.
    If you touch CHD (Cardholder Data, the term the ‘industry’ uses), in any way shape or form, you are a liability to the safety of that data.  (If you disagree, leave your buddy’s daughter unattended with your credit card at a shopping center.  She is only ‘temporarily in contact’ with it)
  • TRANSMIT Credit Card data.
    We need not extoll the virtues of attacking valuable or sensitive data in transit.

So, if you pretty much do anything with Credit Card data, the Payment Card Industry probably cares that you are handling their data safely- it keeps the cardholders happy.

Now, let’s say that a company *does not touch* the CHD.  At all. For all payment activity, the company pretty much outsources (if not ALL of) the payment processing to a ‘service provider’… what does PCI say about that?

PCI Requirement 12.8, “If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following:

  1. Maintain a list of service providers.
  2. Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
  3. Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
  4. Maintain a program to monitor service providers’ PCI DSS compliance status.

Making it SIMPLE, if a company is in any way involved with Credit Card data, they need to be sure that those interactions align to the security requirements they are legally bound to (you might want to start with that PCI DSS stuff)

For ultimate clarity, go to the ‘Acquiring Bank’- a banking institution must ultimately accept responsibility for any risk presented by the transactions they receive from business partners (like the merchants that pay them to convert credit transactions into cash).

FINAL THOUGHT: Even if payment channels are outsourced, your online store, or you have completely eradicated any form of contact with the ‘actual credit card data stuff’- you may want to look at the Self Assessment Questionnaire stuff.  If the company that processes CC data ‘for your company’ is hacked wide open, your company will still get the free press for getting hacked (even though you may not be paying the fines).  (c’mon, if you outsource your CC processing, and they get hacked, you aren’t getting my business till you fix that…)

In all seriousness, PCI has evolved.  Go check out the options for companies that see little, if absolutely no credit card data.

12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following:
12.8.1 Maintain a list of service providers.
112.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
12.8.3 Ensure there is an established process for engaging
service providers including proper due diligence prior to engagement.
12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status.12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following:
12.8.1 Maintain a list of service providers.
112.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
12.8.3 Ensure there is an established process for engaging
service providers including proper due diligence prior to engagement.
12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status.
Advertisements

10 Responses to “Does PCI Apply to me? Store Process Transmit”

  1. Rachel James Says:

    Good summary. I think it is important to mention that even if you’ve managed to outsource in a way to avoid this… it is important to read, follow, and remain updated. There are a lot of just good common sense pieces of infosec advice that should be followed anyway when it comes to PCI compliance. Remember that remaining complaint doesn’t always mean being secure. Compliance is the bare minimum, and companies should always strive for more.

  2. Martin Says:

    One more thing to remember, Trey: It’s the acquiring bank who ultimately gets to decide if your responsible for meeting with PCI compliance. If they decide outsourcing your CCN process is enough, you’re free and clear. If they decide you’re a level 1 despite letting someone else handle the cardholder data for you, your stuck.

    Martin

  3. will Says:

    How does PCI apply to the mom and pop online retailer who uses a shared hosting account, an open-source shopping cart, and does their card processing through a service such as Authorize.net?

  4. Anton Chuvakin Says:

    Hey Trey… let’s sponsor a contest for the funniest “PCI DSS doesn’t apply to us because…..” line.

    Like the idea?

  5. Mike C Says:

    Trey,
    This seems crazy. If PCI Compliance is ever enforced heavily, then that means that all these small businesses will get fined unless they utilize Server Integration Method (Authorize.net) instead of Advanced Integration Method. Can this really be true? Why would that rule exist if SSL is in use. The data the customer types in is encrypted before being sent out across the networks…

  6. PCI Compliance Software Solutions Says:

    That’s a great article addressing a very complicated compliance subject that many people struggle with. It’s good to see great information reaching people about PCI compliance.

  7. Mike C Says:

    I was finally able to find someone knowledgeable about all this PCI and PA DSS stuff. Essentially, it comes down to your merchant account provider to enforce these things. You can “escape” having your domain PCI DSS compliant but not storing, processing or transmitting cardholder data. This means that you can use the Server Integration Method for accepting credit card payments (user is directed to authorize.net’s site to enter cc data, like the early days of ecommerce.) Accepting cc over the phone or via snail mail opens you up to having to be PCI Compliant at your locale. The only way around this is to quit accepting credit cards via phone or snail mail. Also, PA DSS is going to most likely wipe out all or most open source or small business level shopping carts. Get ready for hell next year.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: