Are you in compliance with the current standards that are set in these times of needed security? You must ask this question daily. You and your business needs to be in charge of security for yourself and your customers.

Why has the PCI Council set forth a series of PCI standards? The answer is pretty clear cut — because identity theft has become one of the most rapidly growing and problematic issues to date. In fact, identity theft is a problem crime that’s growing at astronomical rates worldwide. As such, the development of PCI standards seeks only to protect businesses and consumers from would be ID thieves.

PCI standards vary from merchant to merchant based on specific merchant levels. These merchant levels are derived from a series of criteria that were compiled by the PCI Council. Depending upon which merchant level your business carries, you’re PCI standards may vary from that of a different merchant. However, if you plan to continue in e-commerce or you have aspirations of accepting credit card or debit card payments through your website, you will be required to know and adhere to your specific PCI standards.

Today, there is a wide variety of tools designed to help businesses comply to PCI standards. PCI scanners and PCI vulnerability tools are relatively easy to find and can end up saving merchants lots of money and heartache in the long run. In as much as PCI scanning can protect merchants from these scams, it can also protect and save you and your consumers a substantial amount of time and money over the long haul as well.

Statistics indicate that victims of identity theft spend around 600 hours trying to correct all of the problems caused by the crime. This is an increase of over 2000% in the last three years. With technology becoming more advanced, crime is becoming more advanced as well. As such, in order to stay ahead of the thieves, the PCI standards set forth by the PCI Council are becoming mandatory.

It’s also notable that the utilization of tools to help businesses adhere to the PCI standards set forth by the PCI Council is also an excellent marketing tool. In fact, many consumers agree that if a company can provide them constant and consistent safe and secure transactions, they will very likely become repeat customers. It stands to reason that protecting your customers is an act of good faith and also helps to instill confidence in the consumer that you are a reputable business owner, who cares about the client’s needs.

It is possible to learn more about PCI standards and what it takes to be PCI compliant. You will find that, especially as a merchant, questions are readily answered in order to help you best serve yourself and your customers. It’s also important to note that even if you are a sole proprietor, any transaction made over the Internet must adhere to PCI standards.

The time is now, and if not today then tomorrow. It is time to be in charge of your security and to be in compliance with the current standards set forth.

“Hi, my name is Ward Spangenberg. I’m a Delivery Director with IOActive, in Seattle, Washington. Today, I’m going to talk about PCI and what it means to Europe and how it’s affecting operations in Europe. The first question you might ask is “What is PCI?” PCI stands for Payment Card Industry. That doesn’t mean much. What we’re really talking about are the Data Security Standards, so PCI DSS.

These are twelve standards requirements that are required by companies that process credit cards. We have three different types of companies that do this. We have Level 1, Level 2, and Level 3 merchants.
The merchant is based upon the number of credit card transactions that occur during a year’s span. You have anywhere from anything less than a million cards would be considered a Level 3 merchant. Anything from one million to five million is going to be a Level 2 merchant. Anything beyond five million is going to be a Level 1 merchant.

With Level 1 merchants, those are required to have a third party come in and perform an audit. That’s what I do. I’m the auditor. What happens is I have to understand all twelve of those requirements and sub-points underneath those requirements. We have things like understanding firewalls and the firewall rule sets, to actual compliance regulations. Do you have HR? Are you doing things like background checks on your employees? It’s a comprehensive baseline. This is really important to understand with PCI. It’s not the end-all/be-all of security. It’s the start of a good security program.

Why is this important to you? The big thing is a merchant, a retailer, or anybody who takes credit cards, this is important to you because it allows you to have the baseline, the beginning of a security program. As I said, it’s the requirements. We can talk about the requirements.

Requirement number one is having network diagrams. It’s amazing, today, how many companies don’t know what their networks look like. One of the first requirements is sitting down and documenting, and understanding what your network is all about, understanding what your firewalls are doing, understanding what your rules sets involved in this firewall. Are we protecting credit card data that is coming in and out through our Web applications? Are we segregating databases properly between what’s exposed on the Internet from what’s protected in the background?

You might be asking yourself, “What does this mean if I’m a grocery store or a shoe retailer?” You may not have a Web presence if you’re a grocery store, but you do still process credit cards. You’ve got a couple of hundred stores and you may be processing credit cards. You still have to follow that methodology as to how do you protect those credit cards.

Look at each store as sort of your remote branch. Are you protecting the credit card information locally, at that remote branch, and are you protecting in transit, and “in store” at your corporate headquarters before you do your batch processing?

When we look at PCI, it’s spread. It goes across merchants. If you’re processing credit cards, it’s really recommended that you understand what’s required of it. Now, you may question, “I’m interested in PCI. I think I process credit cards. Do I need to go through the PCI certification process?”

That’s pretty easy. If you’re a Level 1 merchant, then you do. You have to contact a third party. Once a year that third party will send an assessor onsite, or a group of assessors, and they will perform what should be a very exhaustive process. We’ll cover that in a second. They should cover this very exhaustive process and ask questions, and gather evidence, and at the end of that, they will write what’s called a ROC, or Report On Compliance.

The Report On Compliance is then turned in to your credit card processor, your requiring bank. They are the ones that when a credit card is swiped in your store, they’re the ones that give you authorization on that credit card. They are also the ones that move the money into your account after the sale has occurred.
If you are a Level 2, Level 3 or below, you get something kind of fun. It’s call the “Self Assessment Questionnaire”. For those in the SAQ, there are two versions of it. The newest version just came out this year and is sort of the 1.1 version of the Self Assessment Questionnaire.

Because it just came out, companies have the choice of doing compliancy to the 1.0 version or to the 1.1 version. Your first question is “What’s the difference?” The difference is that the 1.1 version is a lot more comprehensive and a lot more reflective of what a Level 1 merchant will go through.

The belief is that as Level 2 merchants grow – the whole idea is to grow our companies. As Level 2 merchants grow, they are going to become Level 1 merchants. The more comprehensive you are about your security the easier it will be, as your corporation grows, to establish yourself as a compliant Level 1 merchant.

Let’s get back to this Level 1 merchant. Once a quarter, they have this auditor come in. The auditor comes in and performs, we hope, a quality, comprehensive assessment of your organization. What does that mean? Again, it’s the twelve requirements with the subsets of those. I believe it’s 256 requirements, total, if you mean everything.

What should happen with an auditor, they should first ask the question, and then once you give them the answer, they should ask for proof. The process could include sitting down with HR and going through with HR and determining whether the process includes background checks on anyone who has access to credit card data. We can sit down with the encryption experts within your company, or your database administrators, and review how credit card information is processed, how it enters into the database, how it is dumped into the batch settlement reports, which are then transmitted to the credit card companies – usually at close of business or midnight, or however the business is transacted to occur.

That’s the comprehensive approach. There are – in the questions I receive when I speak about PCI is “We’ve had what we call check box auditors. Is that good? Is that bad?” It’s all about what risk you’re willing, and your company is willing to except. PCI is really, truthfully a risk mitigation tool. It’s not going to be the end-all/be-all to the security for your organization. It’s also not the stopping point, either. As you’ll see, each year there will be standards and new requirements associated. By having that growth pattern, where at least there is a good baseline to work with, you need to continue to process your security.
That’s some interesting things about your ROC. You’ve passed it. Everybody has signed off. You’re done. What happens? Once a ROC has been submitted and the payment inquirer, your merchant bank, has accepted the ROC as your compliance, some paperwork is exchanged and you get a certificate. You can say, “I’m PCI compliant”. What happens if, after that’s all gone through, someone gets hacked?

The first thing that happens is that you’re told by your merchant bank to contact a forensic investigator. There is a group of certain forensic investigators that are allowed to come in and perform an assessment. The first thing they do is pull that handy-dandy ROC back out and they start looking at it. They look to determine whether compensating controls that were accepted were strong enough, in terms of if the hack was associated to that. These are some important things to think about.

Again, it’s risk mitigation. Are you willing to accept the risk associated with a compensating control? Those are the things. Again, you start off; you have a baseline. You get audited to it and then you work from that. It’s a good place to start. I highly encourage companies that are processing credit cards to try to hold the standards of the PCIDSS 1.1 and to hire an external company to come in and help you determine your compliancy level, and to work with you to achieve those. Eventually, everything will be moving to those levels. The brick and mortar stores will be required to be just as safe as an online company is.
Thank you for your time.”

So there it is PCI Compliance all explained. Now of course there is more to it than that but having a PCI Compliant site will be the best thing you can do for your company and customers.