This is post is part of the Getting Started with PCI-DSS Compliance series.

The Zeroth Step: Urgent Remediation

Before we get into the meat of the series, let me emphasize the importance of taking a risk-prioritized approach from day one.  Compliance should not be your motivation.  Iron-clad protection of sensitive cardholder data should be your goal.  Compliance will follow naturally… eventually.  The subtext here is that while you develop your compliance strategy, high-risk activities should be identified and addressed immediately.

We recommend scheduling interviews with representatives from each line of business that owns a merchant account, as soon as possible.  (continue reading…)

For those who have been in the trenches for years, a series about how to begin to grapple with PCI compliance may come as a surprise.  After all, the compliance deadlines are all long past.  However, we recently sat down with an advisee who received marching orders to tackle PCI compliance for his employer, a merchant who only just learned of their compliance obligations.  If you find yourself swimming in similar straits, this series will provide some basic advice on where to begin and point you to important resources.  We invite our more experienced readers to provide additional resources in the comments!

It Begins…

So you’ve gotten a letter or a call or a visit from your merchant bank.  They’ve told you about this PCI Compliance thing-a-ma-bob, and now you’re preparing to explain it to the next level up.  What do you tell them?

Whatever it is, you need to be prepared to respond to the following questions: (continue reading…)

In the early days of PCI DSS, I recall having many conversations with vendors of payment applications and card-related services in which we spent hours persuading and educating providers about their new obligations.  This was before the Payment Application Data Security Standard (PA DSS), which gave us something more concrete to point to in these situations.

Thankfully, these conversations now are a rarity.  However, as the banks extend their compliance focus to level three and four merchants, who may rely on locally grown applications and services, situations still may arise where a vendor does not know about PCI or PA DSS.  Or the vendor simply may not consider their service subject to the standards.

For that matter, you may wonder if you are a service provider yourself!  Many organizations make use of multiple merchant accounts for a variety of legitimate business reasons.  In such circumstances, organizations may wrestle with this question.*

So, how does service provider compliance relate to merchant compliance?  And how is service provider status determined?

(continue reading…)

A reader recently submitted the following question to Ask PCI DSS Guru:

“A corporate service organization stores, processes, or transmits cardholder data on behalf of different departments. Each department is a merchant and there are thirty merchants . Is the corporate service organization a Service Provider under PCI even [if] it is internal?”

We saw this question arise about three years ago for a large institution (having just over 40 merchant accounts and over a dozen payment systems).  We maintained (and the institution’s acquiring bank agreed) that because the merchant accounts belonged to a single entity the services provided by that entity to its internal constituents did not make that organization a service provider.

Obviously, all of those merchant accounts were still in scope for PCI DSS and each system had to be certified compliant.  Here is another post that elaborates on the definition of a service provider under PCI.

By now, one might expect that most people even remotely involved with credit card processing would have a passing familiarity with the Payment Card Industry Data Security Standard (PCI DSS).  Unfortunately, this is not the case.  Many merchants (primarily Level 4) remain unaware of the obligations introduced by the card brands’ security programs, each of which centers on the standard.

Even for those versed in PCI DSS, there are benefits to understanding its origins.  The roles and responsibilities that fall to various parties, as well as the appropriate use of the instruments involved in validating compliance, are intertwined with the origins of the standard.

(continue reading…)