PCI DSS for small merchants
Mathieu Gorge, CEO and founder, VigiTrust
PCI DSS applies to mom-and-pop shops, as well as household-name retailers. The validation process is based on annual credit card transactions, not monetary value. At the lowest level, you need to validate compliance by filling out a self-assessment questionnaire (SAQ) and performing quarterly scans using an approved scanning vendor (ASV). At the highest level, a qualified security assessor will perform an on-site audit annually. Quarterly scans are also mandatory.All merchants need to comply with all requirements, regardless of compliance validation mechanisms. So small merchants need to ensure they have appropriate technical and physical security safeguards and policies and procedures in place. They also need to train all appropriate staff upon hire – and once annually – in matters regarding credit card security. This is often not covered by merchants who can be misled by compliance readiness programs, some of which merely include mandatory quarterly scans and SAQs, but leave out training or policies.
Many banks already have written to merchants about PCI DSS to aggressively promote compliance programs by publishing risks associated with noncompliance, such as bank fines, card brand fines, potential withdrawal of ability to process credit cards, Visa forensic investigation costs, and consumer card replacements costs. However, smaller merchants feel that this can't happen to them because while the brands do publish aggregate numbers of overall fines, they do not name and shame. The media, however, does do that, which creates huge reputational risk for small merchants who, unlike a TJX, which has enough money to manage a security incident and bounce back, will greatly suffer, lose clients and may even go out of business.Visa is now satisfied that 96 percent of its Level 1 merchants in the United States are compliant, whereas Level 4 merchants' compliance is “moderate.” Focus is therefore shifting toward smaller merchants in specific industries, especially hospitality. Last year, Visa identified vulnerabilities targeted at the hospitality sector, which was then confirmed in an independent report showing that hackers steal card data from this vertical more than any other.
So how do small merchants comply? First is descoping components. Can you take out noncritical elements to reduce PCI DSS scope? Can you map credit cardholder data flow in an ecosystem diagram? Do you verifiably protect data according to PCI DSS technical, procedural and skills-transfer requirements? Remember, this is not rocket science and should be done to comply with laws governing personally identifiable information.
Do enroll in a compliance program, but ensure it covers more than just scans and the SAQ. PCI DSS readiness programs also must include staff training and policies and procedures. Maintain security levels at all times to achieve continuous compliance and reduce recertification costs.PCI DSS version 2.0 was unveiled in September at the PCI Community Meeting in Orlando, Fla. Its impact on small merchants remains to be seen. However, security breaches involving credit cards definitely will happen to both small and large merchants. Fines will be issued, and reputational damage will take its toll. The last thing small merchants need at this challenging time for business is reputational damage. Keep your customer credit cardholder data safe to keep your business safe and use PCI DSS as a strategy to do so.
Mathieu Gorge is the CEO and founder of VigiTrust.