If you have been in a technical position for any length of time, you know how daunting it can be to explain things in layman’s terms to non-technical people. The PCI DSS is no different. There have been numerous times when I thought I was explaining technical requirements to small merchants, and I would get a “deer-in-headlights” look from them. That’s because technical jargon is now embedded in my vocabulary, and what sounds perfectly normal to me can sound like a foreign language to our PCI clients (this is not intentional, and I apologize in advance).

However, the PCI Security Council has come to the rescue, and, in August of 2018, they released a set of tools for small merchants to assist them with their PCI compliance. This was just one of many accomplishments that was shared with the audience during the 2018 PCI Community Meeting in Las Vegas. This set of tools is a great resource for the small merchant who is now required to do a “self-assessment” and trying to make sense of the requirements and which reports to fill out. However, these tools also add value to larger merchants who are struggling with their first PCI assessment and to those merchants who have completed their self-assessment in the past and may have completed the wrong report because they didn’t fully understand the reporting requirements.

Glossary of Payment and Information Security Terms

It can be hard to fill out the self-assessment or communicate with your qualified security assessor (QSA) if you don’t understand the terminology. The PCI Security Council recognized the difficulty many merchants were having in trying to understand the PCI DSS requirements and thus created a glossary of easy-to-understand explanations of technical terms used in payment security. No longer should the PCI DSS requirements and terminology sound like a foreign language to those who have the responsibility of completing a self-assessment or communicating with a QSA. The resource is free and can be downloaded at the PCI Security Council’s website or by clicking here.

Common Payment Systems 

Another great resource for small merchants, first-time merchants, or merchants trying to mature their PCI DSS understanding is the Common Payment Systems resource on the PCI Security Council’s website. This resource is a set of real-life visuals to help identify what type of payment system small businesses use, the kinds of risks associated with their system, and actions they can take to protect it. Included is a variety of credit card payment implementations that are commonly seen across a variety of industries. Most importantly within this toolset is the understanding that PCI environments and merchant implementations are not “one-size-fits-all.” This excellent resource covers not only the 15 common types of payment card implementations but also their risk, threats, and protections. There’s also an easy-to-understand, graphical representation of each system’s risk profile. This valuable tool is also free by clicking here or by visiting the PCI Security Council’s website.

Guide to Safe Payments

As QSAs, we do not always do a good job of explaining why the PCI DSS is so important. After all, small merchants’ PCI compliance is often viewed with some skepticism and is often maligned as a way for the PCI Security Council to make money.  After all, what does this have to do with me selling (insert product here). The correct answer is NOTHING! You don’t have to accept credit cards as payment for your goods or services. There, I said it! However, not accepting credit cards could have a negative impact on your bottom line, and, contrary to popular belief, it is the card brands (VISA, Master Card, American Express, Diners Club, Discover, and JBL) that set the rules, standards, and enforcement of compliance. The PCI Security Council only manages the programs, so there is uniformity between the card brands (which was not always the case). The Guide to Safe Payments not only does a terrific job explaining core concepts, risk, terminology, and protection strategies, it also serves as a valuable resource for other useful PCI documents and tools. And, guess what? It is free as well from the PCI Security Council and can be accessed by clicking here.

Questions to Ask Your Vendors

This reminds me of the old game show, Truth or Consequences. Was the guest telling the truth? And, if not, what were the consequences? When working with any vendor who sells your PCI product (POS systems, credit card terminals, etc.) or services (managed services, payment processing, gateways, storage solutions, etc.), remember: What they tell you or how they word their marketing materials may not be quite accurate (not the same as lying—it is sales and marketing). There are many services you can outsource to a third-party, but remember: You can’t outsource your ultimate responsibility to protect your customer’s credit card data. To properly assist you in engaging and managing service providers and vendors, the PCI Security Council has created another (you guessed it) free resource. Questions to Ask Your Vendors provides a set of specific questions to ask vendors to make sure they are protecting your customer’s credit card data. You should only work with vendors and service providers who understand and accept their responsibility to protect cardholder data as described in the PCI DSS.

I commend the PCI Security Council and thank the Payment Card Industry (PCI) Small Merchant Taskforce for developing these wonderful resources and tools. Not only does it help the small merchants who are new to the PCI DSS and those who have completed PCI assessments in the past, but it also helps the communications between the merchants and their QSAs. No longer will the QSA be speaking a foreign language. Now, the small merchants and QSAs will be speaking a common language to support and secure your clients’ credit card information and help reduce the risk of a credit card breach.

LBMC Information Security is one of the longest-tenured and largest PCI assessors in the United States, and our team stays on top of the requirements within the industry. If your organization is considering a PCI assessment, contact us to learn how we can help.