Thursday, August 9, 2012

Part 2: The Credit Card Settlement and You

A few weeks ago I wrote about the pending settlement between Visa and MasterCard in a major lawsuit.  A key element in that settlement is the ability of merchants to add a fee for credit cards.  

According to an article in today's New York Times, it looks like the settlement has been accepted.  I suggest you use the link above and read the article.  

Some of the issues you may want to think about:

  • Does surcharging make sense?
  • Will this allow those campuses that accept MasterCard only not to accept Visa, too?
  • What about debit cards, and the differing rules between Visa and Mastercard?
While this is not necessarily a PCI issue, the settlement does affect your payment card program.  

Wednesday, August 8, 2012

Ten Ways to Fail at PCI

A column by Ericka Chickowski at Dark Reading describes ten ways to fail a PCI DSS compliance assessment.  Here is a brief summary of each of the ten missteps together with a little personal commentary:

  1. Pick the first QSA who comes along.  Good advice.
  2. Skip a pre-audit assessment.  For anyone but a Level 1 merchant, this means failing to conduct a PCI gap analysis.  The gap analysis should point out not only your current compliance gaps and remediation options, but it should also identify areas where you can reduce your PCI scope by making business process or technical changes.  It goes back to item #1 - picking a QSA that knows more than just the details of PCI can be a good idea.
  3. Skip a pre-audit checklist.  OK, I'll admit it.  I hate the word "checklist" in the PCI context, but here it makes sense.  This means understand what documents you need as evidence of your compliance.  For example, written security policies and having the right people lined up for your PCI gap analysis.
  4. Poor documentation.  If it is not written down, it doesn't exist.  
  5. Bad assumptions.  If you only read the words in a PCI requirement, you can miss the intent.  Focus on the intent and you can save a lot of wasted effort and heartache.  This is where a QSA who lives in the PCI "echo chamber" can help supplement your internal resources.  
  6. Too much data.  Too often PCI teams fail to ask the question: "Why do you need that data?"  If you get an answer that rhymes with "Well, we always did it that way" you could be on the track to having too much cardholder data to protect.  And too much data translates into added cost and, importantly, added risk.
  7. Ineffective scoping.  Scoping is critical, and it can be difficult in the absence of good, detailed network diagrams.  Well-constructed dataflow diagrams can help identify systems and devices that are in scope for PCI.  Finding another network segment or system half-way through the compliance effort is no fun for anybody.
  8. Blindly trusting your software application.  This one may be my second-favorite.  The dangerous refrain is: "We have a PA-DSS validated app, so we're compliant."  Perhaps the only more dangerous thing would be to believe that statement.  Payment apps have to be installed and maintained, and just because they are PA-DSS validated does NOT mean they don't store electronic cardholder data.  Validated apps help compliance, but they are not a silver bullet.
  9. Blindly trusting your service provider.  This one is my top choice.  I'm going to hold off my "you can outsource your processing, but not your responsibility" speech (er, rant?).  I will simply say that any merchant who does not use Level 1 service providers exclusively (listed on Visa and MasterCard websites) is making a mistake and taking undue risk.  The same goes for using a reseller/system integrator for your application (see #8) who has not been through the PCI Council's training program.
  10. Thinking your SAQ means you're done.  PCI is a program, not a project.  Celebrate your accomplishment in validating your compliance, but remember there is always something you need to be doing.  PCI is the gift that keeps on giving.
 There you have it.  Read Ericks's column and apply it to your own situation. 

Wednesday, August 1, 2012

PCI Training Options

There are few areas where training pays bigger dividends than complicated, high risk areas like PCI compliance.  The reasons are that the standard is complex, detailed, and if you mess up your institution's reputation (and checkbook) may be at risk.

One of the best sources of information sharing and training is the Treasury Institute's annual PCI Workshop.  (Click here for a link to the 2013 Workshop).  There institutions of all sizes from across the country (and Canada) come to share experiences, lessons learned, and best practices in achieving PCI compliance on their campus.

The PCI Council also offers an increasingly broad array of PCI training sessions for merchants.  If you want the same training as QSAs receive, you can pursue the Internal Security Assessor (ISA) program. There also is PCI Awareness Training for executives and managers -- no previous PCI experience required.  A big difference -- and maybe an advantage -- is that attendees in the PCI Council sessions come from all industries, not just Higher Ed.  Therefore, these may provide a broader perspective on issues and solutions.

The programs of the Treasury Institute and the PCI Council are complementary, and between them they offer schools a range of options.  The only way you can lose is by not doing anything.