Thursday, October 29, 2009

Processor Best Practices You Can Use

Visa just released its Cardholder Data Security Best Practices for VisaNet Processors. I think there are some things in this document that you as merchants can use, too. Here are a few examples with my comments/observations:
  • Entities should identify their organization’s lines of business as well as the processes involved in storing, processing and/or transmitting cardholder data. By accurately identifying all business processes that handle cardholder data, processors can better define the scope of the cardholder data environment and ensure its adequate protection.
    Great advice for everyone: document your payment process and minimize PCI scope. In my world, this is "PCI Requirement 0", meaning you should do this before you even start to attack the entirety of the DSS.

  • Truncate cardholders’ primary account number (PAN) when business processes do not require use of the full PAN.
    Truncation takes the data out of scope. And why are you saving the full PAN anyway? For more, consider...
  • Support unique identifier tokens (e.g., a Visa Transaction ID is used in some
    regions) for recurring payments and dispute resolutions, thereby eliminating
    merchants’ storage of PAN data and reducing scope for acquirer processing
    systems where use of the full PAN is unnecessary.
    Bingo! In my experience, there are two frequently-cited and equally unnecessary reasons schools and other merchants retain PANs. One reason is recurring payments, and as Visa notes, you don't need to keep the PAN for these. The other reason is chargeback processing which, again, doesn't require you store the PAN. You say your processor doesn't support this? I say ask them again, and if you still can't get a straight answer get a new processor.
  • Entrust a security champion at the senior executive level to lead the organization’s data security efforts, including the development and maintenance of the security policy and its strict adherence across the organization. Senior executive management (e.g., Chief Information Officer, Chief Technology Officer or Chief Information Security Officer) should be central to the oversight of the organization’s data security policies, programs and procedures.
    Senior management commitment is critical to PCI implementation and your security. This goes for merchants and processors.
  • Perform vulnerability scans and penetration tests more frequently than required by the PCI DSS for critical resources (e.g., monthly, weekly or more often). Scan all resources including networks, systems, applications, databases, services and components for vulnerabilities and perform penetration tests to determine the effectiveness of current security controls.
    Scanning is a low-cost way of letting you sleep better at night. Check out how much (little?) it will cost to go from quarterly to more frequent scans. You might be pleasantly surprised.
  • VNPs should not solely rely upon an annual assessment by a QSA to identify where cardholder data is being handled or to uncover any lapses in security controls. Instead, third party assessments completed by a QSA should support the VNP’s existing security programs and regular internal reviews.
    This is another way of saying PCI copliance doesn't make you secure.
There is other good stuff there. Download it, read it, and maybe even share it with your processor...

No comments:

Post a Comment