By OJ Jonasson
How is Your PCI-DSS Compliance Progress
In 2006 the major card brands (Visa, MasterCard, American Express, JCB and Discover Financial) created the Payment Card Industry – Security Standards Council (PCI-SSC). The Council’s mandate was to establish and maintain a universal set of information security standards that would apply to merchants throughout the world who accept payment cards. The result was the Payment Card Industry – Data Security Standard, a complex set of security standards covering 12 well established information security domains.
In order to validate compliance with the PCI-DSS, merchants have been given two options: i) through an onsite assessment and Report on Compliance by a Qualified Security Assessor (QSA), or ii) through a Self Assessment Questionnaire (SAQ) – both of which are to be sent to the merchant’s acquirer for validation.
The Data Security Standard divides merchants into four categories based on their transaction volumes, from Level 1 for high volumes down to Level 4 for the lowest volumes. All Level 1 merchants must have an onsite assessment performed by a QSA, while Levels 2 through 4 can optionally have an onsite assessment or they can validate using the self assessment approach.
The date for mandatory compliance by all merchant levels, regardless of size, has long since past.
Validation of PCI-DSS compliance sounds fairly simple and straightforward to perform and this may be true until the “exceptions” to the Standard start to emerge.
As a prime example, merchants in Canada have no ‘self assessment’ option since all self assessments must be reviewed by a Qualified Security Assessor, which translates into a potential onsite assessment.
Another example exists for smaller merchants that accept AMEX cards. There is no requirement to validate their PCI-DSS compliance with American Express, nor is there any way to do so. Therefore, while the PCI-DSS requires that you validate your compliance, there is no way in which to do this with American Express, one of the founding and supporting members of the PCI-SSC.
Speak with three acquirers concerning your validation requirements and you will frequently get entirely different and often contradictory responses.
Based on personal experience working with small to medium size merchants (Levels 3 and 4) in BC, the rate of validation is estimated at less than 1% and will remain at that level until there are radical changes and improvements to the PCI Standard. Moreover, common knowledge would suggest the vast majority of Level 1 and 2 merchants in BC have yet to validate their PCI-DSS compliance.
IMHO, the PCI-DSS security program has been an abysmal failure for the cardholders, the merchants and the issuing banks. In contrast, it continues to be an excellent source of added revenue for the card brands.
About the Author
OJ Jonasson is certified management consultant (CMC) with over 35 years of IT consulting experience and a former partner with KPMG, Ernst & Young and Price Waterhouse. He specializes in IT security and has earned the CISSP, CWSP and SCSE designations in IT security. He received training as a PCI-DSS QSA and ASV but elects to work directly with merchants in their efforts to achieve PCI-DSS compliance.