As QSAs, we do not always do a good job of explaining why the PCI DSS is so important. After all, small merchants’ PCI compliance is often viewed with some skepticism and is often maligned as a way for the PCI Security Council to make money. After all, what does this have to do with me selling (insert product here). The correct answer is NOTHING! You don’t have to accept credit cards as payment for your goods or services. There, I said it! However, not accepting credit cards could have a negative impact on your bottom line, and, contrary to popular belief, it is the card brands (VISA, Master Card, American Express, Diners Club, Discover, and JBL) that set the rules, standards, and enforcement of compliance. The PCI Security Council only manages the programs, so there is uniformity between the card brands (which was not always the case). The Guide to Safe Payments not only does a terrific job explaining core concepts, risk, terminology, and protection strategies, it also serves as a valuable resource for other useful PCI documents and tools. And, guess what? It is free as well from the PCI Security Council and can be accessed by clicking here.
Questions to Ask Your Vendors
This reminds me of the old game show, Truth or Consequences. Was the guest telling the truth? And, if not, what were the consequences? When working with any vendor who sells your PCI product (POS systems, credit card terminals, etc.) or services (managed services, payment processing, gateways, storage solutions, etc.), remember: What they tell you or how they word their marketing materials may not be quite accurate (not the same as lying—it is sales and marketing). There are many services you can outsource to a third-party, but remember: You can’t outsource your ultimate responsibility to protect your customer’s credit card data. To properly assist you in engaging and managing service providers and vendors, the PCI Security Council has created another (you guessed it) free resource. Questions to Ask Your Vendors provides a set of specific questions to ask vendors to make sure they are protecting your customer’s credit card data. You should only work with vendors and service providers who understand and accept their responsibility to protect cardholder data as described in the PCI DSS.
I commend the PCI Security Council and thank the Payment Card Industry (PCI) Small Merchant Taskforce for developing these wonderful resources and tools. Not only does it help the small merchants who are new to the PCI DSS and those who have completed PCI assessments in the past, but it also helps the communications between the merchants and their QSAs. No longer will the QSA be speaking a foreign language. Now, the small merchants and QSAs will be speaking a common language to support and secure your clients’ credit card information and help reduce the risk of a credit card breach.
LBMC Information Security is one of the longest-tenured and largest PCI assessors in the United States, and our team stays on top of the requirements within the industry. If your organization is considering a PCI assessment, contact us to learn how we can help.