PCI Compliance: Commonly Asked Questions

Editor’s note: Payment Card Industry compliance is a requirement for virtually all ecommerce merchants. But it’s also a complex and difficult topic to understand. With that in mind, Practical eCommerce is teaming with Coalfire IT Audit and Compliance, a firm expert in PCI matters, in a series of articles aimed at answering merchants’ questions about PCI compliance. For the first article in this series, we get the insights of Coalfire co-founder and president Rick Dakin. We asked Dakin two questions that we believe are representative of those that many merchants have. We’ll continue asking him and other Coalfire representatives questions throughout the series.

Dakin helps clients develop balanced approaches for effective IT governance and regulatory compliance programs. His experience results from more than 25 years in senior management with leading IT firms.

If you have a PCI compliance question, email Kevin Patrick Allen, contributing editor, at kevin@practicalecommerce.com and we’ll attempt to address it.

Practical eCommerce: PCI compliance is different for varying sizes of business. Assume a business grosses $700,000 per year and processes roughly 13,000 credit card transactions each year. What does it have to do to become compliant?

Rick Dakin: Review the PCI Data Security Standard and identify the control areas that apply to your environment. Make sure you have implemented those controls that require the use of approved payment applications, limitations on physical and computer access to

Rick Dakin

cardholder data, and other security controls.

Once you are satisfied that you have implemented the relevant controls, go back to the PCI Security Standards Council website and download the qualifications sheet to determine what level of compliance report you should submit. With only 13,000 transactions per year, you are definitely a Level 4 merchant but you will have a few choices on which compliance validation requirements apply to you.

In most cases, you must obtain quarterly external vulnerability scans from an approved scan vendor (ASV) and complete a self-assessment questionnaire (SAQ) each year. Again, the type of SAQ that is appropriate for you will be highlighted in the qualification process that is listed on the PCI SSC link provided above.

As an option, Coalfire (a PCI Qualified Security Assessor) provides an online SAQ form that includes a qualification process that selects the appropriate compliance test procedures for you.

PeC: Our ecommerce company is very small. What are the chances that
we’ll get caught if we don’t become PCI compliant?

Dakin: Until now, I would have to report that very few acquiring banks (i.e. merchant account providers) have implemented comprehensive programs to validate PCI compliance for level 4 merchants. Unfortunately, the chances of getting caught are increasing every day. However, I do not expect that your processor will identify your non-compliance and start issuing fines. The more likely scenario is that a bot net program will identify your site and load malware to collect cardholder data for subsequent fraudulent use by a cyber criminal. The number of level 4 merchants getting compromised is growing at an alarming rate.

At the time of compromise, a forensic investigator will assess your level of PCI compliance and determine that you were not compliant. Accordingly, all fraud conducted on cards that we identified on your compromised systems will be charged back to you. This Account Data Compromise Recovery or ADCR process enables the card brands to collect losses in the system directly from you. The cyber criminals are getting better and we typically see losses of over $50,000 when just 1,000 cards are compromised.

The other program that is picking up steam is the requirement for processors to validate that its merchants are using only PCI compliant (or PA-DSS validated) payment applications, which includes shopping carts. This requirement will probably increase your chances of being identified as non-compliant in 2010 as the deadline for PA-DSS validation approaches (July 2010).