I recently got a call for help from a friend and customer. She accepts credit cards for her small business, and her card services provider had requested that she jump through various hoops to establish her PCI compliance. Although she is intelligent and well educated, many of the concepts and terms used in PCI compliance were foreign to her. To make matters worse, her network scans were failing, including some errors even I had to look up.
The PCI Security Standards Council, an organization made up of representatives from the major credit card brands, was formed in 2004, with the stated intent of improving credit card security. In December of that year, they issued version 1 of their Data Security Standard (known as PCI DSS), which merchants were expected to begin following. A variety of modifications to PCI DSS have been issued since then, each containing more stringent security requirements. For compliance purposes, merchants are broken down into tiers, with very large merchants falling in tier 1, and merchants with less than 1 million traditional transactions, or 200,000 eCommerce transactions per year in tier 4. Obviously, most merchants fall in tier 4.
It is clear that a major purpose of PCI DSS is to provide a security standard within which merchants should function, and the security standards laid out therein are not unreasonable. That being said, it is not without issues.
One of the primary challenges with PCI is the fact that it does not differentiate significantly between merchant tiers in the standards that must be followed. A tier 4 merchant must follow all of the basic requirements that apply to tier 1 merchants. While this is a laudable goal, it does not take into account the fact that many tier 4 merchants don’t even have in-house IT staff. This results in people with limited technical knowledge being responsible for compliance with a complex technical standard.
Another issue involves the actual impact of the standard. As I said, the standards set forth are reasonable for their purpose. Despite these requirements, which continue to evolve on a yearly basis, credit card breaches have continued to increase significantly each year.
Finally, many question the motivation behind this standard, which is replete with overhead, penalties, fees, and costs. Michael Jones, CIO of Michaels' Stores, testified before a Congressional committee some time ago regarding PCI DSS, and said "...the PCI DSS requirements...are very expensive to implement, confusing to comply with, and ultimately subjective, both in their interpretation and in their enforcement. It is often stated that there are only twelve 'Requirements' for PCI compliance. In fact there are over 220 sub-requirements; some of which can place an incredible burden on a retailer and many of which are subject to interpretation." Some have taken this a step further, claiming that a key goal of the standards is to provide increased revenue to providers, via penalties and fees.
The conundrum referenced in the title therefore, is how smaller businesses can meet the minimum requirements for compliance, while avoiding emptying their bank accounts, and all this while maintaining their sanity.
The following are some suggestions that will help your compliance, and your sanity:
The requirements stated in PCI DSS are good for your business
Ignoring the noise related to whether PCI is fair, or just a way for someone to increase revenue, keep in mind that most of the requirements are reasonable precautions that your business should be taking anyway. This is the reason you should be taking these precautions, with compliance being just a side benefit.
Begin with a plan
Having a written information security policy is the foundation of PCI DSS compliance, and all of the other major standards as well. Imagine a football team (American, that is) without a playbook. It is doubtful they would ever win a game. There are a variety of good templates available, but you need to make them your own. (Take a look at my article, Is your security policy monkey see, monkey do? for resources and additional guidance.)
Know who to call
PCI DSS is a detailed and complex standard. Regardless of how technical you are, you will find details that stump you. Find someone you can trust, and can call for advice on compliance and security, when you need it. Sometimes a 15 minute phone call is all you will need to more forward.
Remember that an audit is a snapshot
An audit looks at security and compliance with regulations at a single point in time. It is easy to be in compliance one day, and have major issues the next. As such, make maintaining the security needed for compliance part of your weekly routine. As my favorite entrepreneur is fond of saying, "by the inch it's a cinch."
Compliant does not mean secure
It is relatively easy to be compliant with PCI, without being secure. Remember, your focus should be on a safe and secure business, with compliance being the bonus.
We are in the process of finalizing a more-detailed PCI roadmap for small and medium businesses. If you want to receive a copy when it becomes available, join our email list, and we will make it available to you as soon as it is finished.