MYTH 1: PCI DSS is not applicable to me
It is mandatory for every entity that processes, stores or transmits payment card data to comply with the PCI DSS standard. However, this does not mean that the entity needs a PCI DSS certification. The entity can become compliant either through its own mechanisms, or with the help of external parties. Even if an entity does just one swipe in a year, it is mandatory for it to comply with the PCI DSS standard.
PCI DSS certification comprises 12 major domains and around 300 sub-requirements, but each requirement may not be mandatory for organizations. Banks, merchants and service providers (SPs) have different aspects applicable to them, so the organization first needs to find out what is applicable to it.
The PCI DSS certification is driven by the payment card industry, which includes Visa, MasterCard and American Express. Banks which are issuers as well as acquirers (entities that merchants use to process their payment card transactions) have to ensure that their merchants are compliant with the PCI DSS standard. Banks also need to ensure that the POS terminal used by merchants is either provided by them or their SP. In case of a fraud, the bank can be held accountable for damages because it is the bank's responsibility to ensure that merchants are compliant.
PCI DSS certification categorizes merchants into four levels based on their annual number of transactions, as well as states the requirements for network scans and self-assessment. It highlights the role of the qualified security assessor (QSA) and approved scan vendor (ASV) in undertaking such audits.
Except for a few big entities, Indian retailers have not taken PCI DSS certification seriously. There can be several reasons for this, including lack of awareness and lack of technical resources.
Service providers; organizations that process, store or transmit card-holder data on behalf of card members; merchants or other SPs such as payment gateways, e-commerce host providers, managed service providers; and credit reporting agencies also need to be PCI DSS compliant.
MYTH 2: I've never had a fraud, and my business is very small, so why should I go in for PCI DSS certification?
It's natural for any organization to expect returns when it is spending a certain amount of money on PCI DSS certification. Thus, often, when organizations are looking to comply with the PCI DSS standard, they ask questions such as, 'What do I get in return?' or 'Why should I go in for it?'
There are two reasons to go in for PCI DSS certification—it helps you to meet regulatory requirements, and it helps you to become secure against frauds. The PCI DSS certification covers all security requirements which you require for an organization. Being a very meticulous and technical standard, PCI DSS also extends great security assurance and insurance to a company. Overseas companies demand PCI DSS certification as an essential requirement when they are looking for SPs. There are several examples of Indian BPOs being able to expand their business after achieving the PCI DSS certification. PCI DSS certification brings efficiency to the business because your security is guaranteed and also improved on a continuous basis. Every quarter the company needs to undergo ASV scans to identify new vulnerabilities.
MYTH 3: Getting PCI DSS compliant is very capital-intensive
PCI DSS is one of the most technically-intensive standards. There is no scope for anyone to change the written-down standard, and it has to be followed to the dots and commas. There are several strict requirements such as encryption and application security in PCI DSS certification. This technicality and lack of flexibility often frightens people. They get worried about questions like 'Are we capable of doing it?' and 'Will we need to incur much cost in order to comply?' Resources and capital expenditure become concerns for the company, but these issues can be sorted out with the help of a QSA. The company does not need to spend heavily on controls to get compliant because, technology-wise, there are several open and free solutions available in the market which can be used under the guidance of a QSA.
Awareness regarding PCI DSS certification is slowly increasing in India, and certain industry regulatory bodies have shown interest in making PCI DSS certification compulsory in the near future.
About the author: Suresh Dadlani is the chief operating officer of Control Case, a qualified security assessor certified by the PCI Standards Council. Control Case provides PCI DSS audit services.
(As told to Dhwani Pandya)
This was first published in May 2010