Getting Started

PCI Compliance for the Resistant

Bill wrote in and asked the PCI DSS Guru this question:

We are a franchiser. The typical franchisee is a small store with 2 registers and a back office computer. They are having a difficult time with PCI compliance, mostly due to the store owner’s lack of knowledge of PCI, an unwillingness to budget sufficient funds to attain and maintain PCI compliance, and a lackadaisical attitude. 

Since these stores will never be PCI compliant, we have suggested that they take an approach that will protect themselves as much as possible. Our advice is to stop using the POS software to process credit cards, and switch to the terminals supplied by their processors. This would take their POS system out of scope entirely, and severely reduce the possibility of a keylogger type of attack. At that point, we believe their only PCI compliance issues would be protecting the terminals and how they handle credit cards that are phoned in and written down. We are getting a lot of push back from the stores that this would be a step backwards. 

Are we on the right track? Is there a better approach to handling people who simply can’t or won’t do what’s necessary to attain and maintain compliance?

Bill, I think that you’re definitely on the right track here.  I have a few specific pieces of advice that may help guide your PCI compliance efforts.

First, I would carefully consider how you have your merchant accounts structured.  Does each franchisee have a direct relationship with the bank?  This would be ideal, as the liability then rests with the franchisee to be PCI compliant.  If the franchisees are reluctant to comply and you don’t have the authority to make them comply, then you certainly don’t want to accept responsibility for their compliance!

Second, have you considered a point-to-point encryption (P2PE) solution? If the credit cards numbers are encrypted at the time of swipe and the merchant never has electronic access to them, the franchisees may be eligible to complete the abbreviated P2PE SAQ.  Quoting from that document:

SAQ P2PE-HW merchants may be either brick-and-mortar (card present) or mail/telephone-order (card not present) merchants.  For example, a mail/telephone-order merchant could be eligible for SAQ P2PE if they receive cardholder data on paper or over a telephone, and key it directly and only into a validated P2PE hardware device.”

Whatever approach you take, you should work to provide merchants with a solid path toward compliance.  In my mind, you’re responsible for guiding them to water, but you can’t make them drink.  Once you’ve outlined the path to compliance, it’s on them to step up and meet their contractual obligation.


Getting Started: Urgent Remediation

This is post is part of the Getting Started with PCI-DSS Compliance series.

The Zeroth Step: Urgent Remediation

Before we get into the meat of the series, let me emphasize the importance of taking a risk-prioritized approach from day one.  Compliance should not be your motivation.  Iron-clad protection of sensitive cardholder data should be your goal.  Compliance will follow naturally… eventually.  The subtext here is that while you develop your compliance strategy, high-risk activities should be identified and addressed immediately.

We recommend scheduling interviews with representatives from each line of business that owns a merchant account, as soon as possible.  (continue reading…)


Getting Started With PCI DSS Compliance

For those who have been in the trenches for years, a series about how to begin to grapple with PCI compliance may come as a surprise.  After all, the compliance deadlines are all long past.  However, we recently sat down with an advisee who received marching orders to tackle PCI compliance for his employer, a merchant who only just learned of their compliance obligations.  If you find yourself swimming in similar straits, this series will provide some basic advice on where to begin and point you to important resources.  We invite our more experienced readers to provide additional resources in the comments!

It Begins…

So you’ve gotten a letter or a call or a visit from your merchant bank.  They’ve told you about this PCI Compliance thing-a-ma-bob, and now you’re preparing to explain it to the next level up.  What do you tell them?

Whatever it is, you need to be prepared to respond to the following questions: (continue reading…)


When Will I Be Asked To Comply With PCI DSS?

A reader recently submitted the following question to Ask PCI DSS Guru:

“When will merchants be contacted with the questionnaire for compliance? I have had card processing for 8 years and have never been contacted previously.”

(continue reading…)


An Introduction to PCI DSS (updated)

By now, one might expect that most people even remotely involved with credit card processing would have a passing familiarity with the Payment Card Industry Data Security Standard (PCI DSS).  Unfortunately, this is not the case.  Many merchants (primarily Level 4) remain unaware of the obligations introduced by the card brands’ security programs, each of which centers on the standard.

Even for those versed in PCI DSS, there are benefits to understanding its origins.  The roles and responsibilities that fall to various parties, as well as the appropriate use of the instruments involved in validating compliance, are intertwined with the origins of the standard.

(continue reading…)


  • Free Newsletter

  • Search

  • Copyright © 1996-2010 PCI DSS Guru. All rights reserved.