Articles

dental-it-heart-article

PCI DSS - The farce of credit card "compliance"

by Chris Brown

PCI DSS or Payment Card Industry Data Security Standard is a relatively recent development for businesses that process credit and debit card transactions with a particular focus on businesses that use internet(IP)-based terminals. The various financial services companies such as Visa, Mastercard & Amex brought their security programs together, purportedly in a bid to combat fraud.

Having assisted quite a few of our clients through the significant technical hurdles of becoming "compliant" I have come to one simple conclusion: that PCI DSS has been created to offset the large fraud losses experienced by financial services companies against their customer base. Achieving compliance is nigh-on impossible without detailed technical knowledge and I believe these companies are fully aware of this. The outcome is that I don't believe that many small businesses in the UK are or remain "compliant", enabling fraud losses to be recovered as required by these companies.

In 2012, the National Retail Federation called PCI DSS a “near scam” and say it’s designed less to secure card data than to profit credit card companies while giving them executive powers of punishment through a mandated compliance system that has no oversight [1]

The concept is fairly simple - keep your network secure and prove that this is the case and you can process card transactions unhindered. Seems clear enough. It is only when a small business owner (in our case a practice manager or principle) attempts to complete the requisite Self-Assessment Questionnaire designed to answer questions about how you take payments that things start to become unstuck.

The website apparently set up by the PCE Security Standards council at https://www.pcisecuritystandards.org/security_standards

"to help organizations ensure the safe handling of cardholder information at every step."

currently asks you to:

  1. Read the Instructions and Guidelines Document (17 pages)

  2. Read the advisory "PCI Data Security Standard Self-Assessment: How it All Fits Together" which apparently "provides an actionable framework for developing a robust account data security process". Whatever that means.

  3. Select and Download your SAQ - this is incorrectly linked on the website so you have to find the SAQs yourself - and choose between no less than 15 different questionnaires, from one entitled SAQ C-VT v2.0 to another called SAQ P2PE-HW v3.0

All this from a website designed to help you navigate your way through this PCI DSS bureaucracy.

The SAQ itself makes the following requirements:

  1. Assess your environment for compliance with the PCI DSS.
  2. Complete the Self-Assessment Questionnaire (SAQ C) according to the instructions in the Self-Assessment Questionnaire Instructions and Guidelines.
  3. Complete a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV), and obtain evidence of a passing scan from the ASV.
  4. Complete the Attestation of Compliance in its entirety.
  5. Submit the SAQ, evidence of a passing scan, and the Attestation of Compliance, along with any other requested documentation, to your acquirer.

More technical questions follow, that very few people can know the answer to. For example:

"Is stateful inspection, also known as dynamic packet filtering, implemented (that is, only established connections are allowed into the network)?" "Are default SNMP community strings on wireless devices changed?" "Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands?"

"ENOUGH!" I hear you cry, "I JUST WANT TO TAKE CARD PAYMENTS!"

So what are the options?

  1. Switch to GSM payments - there are card terminals which now offer connections over mobile networks. They also fail over to alternate networks if one becomes unavailable. Speak to your terminal provider about these. These pass the PCI compliance element on to the mobile signal providers and rid you of the headache entirely.
  2. Obtain an internet connection with a “range” of internet (IP) addresses. Your payment terminal can then be connected to a completely different IP address and therefore doesn’t come into contact with your main network at all.
  3. Install a completely separate internet connection for your payment terminals. This is more drastic than (2) but provides a failover in case of a problem with your main internet connection.

Hopefully the above has been of some assistance. Dental IT ensure their clients comply fully with PCI DSS and have a number of years' experience in the field. Please contact us if you are looking for support in this or any other area relating to your IT.

[1] http://www.wired.com/2012/01/pci-lawsuit/


Return to Articles page

More Articles

SIP isn't as reliable as ISDN. Get over it. Lessons from Wannacry Is backing up to the cloud enough?
Support Ticket