Calming PCI Compliance Qualms

Ratcheting up security as business steadily revved up had always been a priority for Motorcycle-Superstore.com. So when it was time to complete its self-assessment to validate Payment Card Industry Data Security Standard (PCI DSS) compliance, the Medford, Ore., company decided to evaluate every aspect of its security infrastructure, practices and policies.

“You should be doing a lot of the stuff for PCI compliance whether you’re handling cardholder data or not. The way you secure your web servers and firewalls is just good security practice, and we were already doing it,” says Jason Miller, vice president of technology. “But when we actually had to fill out the questionnaire, we formed a committee internally to assess everything: how the rules applied to us, what they entail and how we would comply with them.”

Given the cost of data breaches to a business’ bottom line and reputation, few merchants would take issue with the PCI DSS’ key objectives: building secure networks, protecting cardholder information, managing vulnerabilities, implementing strong access controls, monitoring and testing networks, and maintaining strong information security policies. For tech-savvy companies like Motorcycle-Superstore.com, these are standard operating procedures.

But the specific requirements of PCI DSS can bewilder and frustrate managers of small- and medium-size businesses (SMBs), which often do without IT staff, says Steven Cartwright, CFO of American Payment Systems (APS), a credit card processing company in Omaha, Neb.

“There’s lots of confusion and anger among small businesses,” says Cartwright, who notes that all 1,100 APS clients are Level-4 merchants, but that only about 50 percent of them are PCI compliant. “When someone asks about, for example, network segmentation, they don’t understand the question. They don’t have an IT guy. Even when they are compliant, I’m not sure they know why they are, or what it means. It’s a learning process for them.”

PCI compliance will become more urgent, Cartwright adds, when the “teeth of the standard” begin to show. Those “teeth” include planned hefty fines for noncompliance and much steeper penalties if a noncompliant company’s network is breached, not to mention further liability to the customers whose information has been exposed.

Although PCI DSS requirements are somewhat daunting, the experience of organizations that have successfully navigated the process of validating compliance — including Motorcycle-Superstore.com and APS — can provide some guidance.

Understand the Standard

The first step in any company’s PCI compliance effort is to figure out how the rules apply to its business. The standard categorizes companies by the number of credit card transactions they complete annually. Companies with fewer than 1 million transactions — which includes most SMBs — usually fall into Level 4 (or occasionally Level 3). PCI compliance for these businesses involves filling out an annual questionnaire about their technology, security practices and policies and, if they complete transactions over the Internet, having quarterly network scans performed by an approved scanning vendor (ASV).

But it’s not as easy as it sounds. “Understanding where your company fits within the requirements includes understanding how your company processes cards: the equipment used, the network used, where credit card data is stored and who handles [the] data,” Cartwright says. “Most companies struggle with even knowing which level they are and which SAQ [Self-Assessment Questionnaire] applies to them. It’s a learning process for them.”

The most fundamental thing small companies have to understand is that PCI compliance is an enduring and necessary part of doing business, says Shirley Tan, who owned AmericanBridal.com until last year, when she sold the online wedding accessories operation to TheKnot.com.

Photo: Bryce Bridges

Steven Cartwright, of American Payment Systems, believes companies will take PCI compliance more seriously when the “teeth of the standard” (in the form of fines for noncompliance, among other consequences) begin to show.

“Don’t put it off; be compliant from the get-go,” Tan says. “You don’t have to do it yourself, but make sure it’s done.”

Help at Hand

Some small businesses may need a hand with that first step of understanding PCI DSS, let alone with the compliance effort itself. Plenty of assistance is available, ranging from extensive information resources on the Internet — see the PCI Security Standards Council’s website (pcisecuritystandards.org) for example — to hosting companies that will relieve the burden entirely, for a fee.

APS’ Cartwright recommends that small companies seek help from others who have experience with the compliance process. “PCI compliance is so complex and deals with network terms most merchants don’t know and don’t care about,” he says. “Plus, merchants that process over the Internet will need a quarterly scan. That scan has to be completed by an authorized scanning vendor.”

Instead, he recommends that small-business leaders seek advice from a trusted partner, such as their payment processor or bank, before choosing a consultant or scanning vendor. Often there are low-cost options, such as scanning programs organized by processors and their vendor partners, Cartwright adds.

When Tan ran AmericanBridal.com, she relied on the Yahoo! platform for gateway security and PCI compliance. She also made sure she had third-party verification that storage and encryption technologies in her back-end systems met the standard.

“I searched for an affordable platform that I could trust, and then I verified,” Tan says. “I believe you should take responsibility for your business, but that technical support is best left to the people who know what they’re doing.”

At Motorcycle-Superstore.com,however, Miller decided that preparing documentation for a PCI consultant would be as labor-intensive as managing the process internally. So he and some of his colleagues took PCI Security Standards Council training classes in the technical issues and best practices involved in compliance, and then they proceeded on their own with little difficulty, he says. They also shared the best practices information with others in the company.

“We went to sales reps and talked to them about how to securely handle credit card and personal information,” Miller says. “It’s important that everybody is aware of the issues.”

Required Changes, Changing Needs

Once the process begins, PCI compliance can require adjustments from even the most security-conscious companies.

To meet the standard, Motorcycle-Superstore.com upgraded its reporting capability by implementing an RSA enVision appliance that securely stores and manages event logs, Miller says. The company also strengthened its intrusion detection and change-logging systems using Tripwire solutions. In response to new PCI requirements, Motorcycle-Superstore.com also has started using a web application firewall that’s provided as a service and located at the edge of its content provider’s network.

As businesses grow and evolve, so, too, do their PCI requirements. Motorcycle-Superstore.com sells gear, apparel and after-market parts on the web, over the phone and at a small brick-and-mortar retail outlet. With $80 million in online sales last year, the company is fast approaching the point at which it will need a Qualified Security Assessor (QSA) to come in to certify PCI compliance.

“We’re not Amazon, but we do a decent number of transactions and are about to move up a level,” Miller says. “Our security infrastructure will grow too. PCI is a good set of guidelines to ensure your company’s security remains where it should be.”

APS, meanwhile, has differentiated itself in the crowded and competitive payment processing industry by launching its own PinPoint card. PinPoint is a combination discount, loyalty and payment card, which separates those data streams at the point of the transaction.

In conjunction with the new card, which the company plans to take nationwide, APS has provided restaurant merchants with wireless VeriFone terminals that allow them to process PinPoint transactions at the diner’s table. In order to maintain data security and PCI compliance on the PinPoint network, APS has upgraded to a SonicWall firewall and wireless router technology that’s significantly more robust than what was in place before.

“There’s a lot of technology behind the scenes — software written for the terminals to split the transaction, securing our own network,” Cartwright says. “PCI guidelines were followed every step of the way.”

Achieving and maintaining compliance is mostly a matter of recognizing the importance of data security and staying focused on the process, says Motorcycle-Superstore.com’s Miller. “The biggest pitfall for small companies — the biggest barrier to compliance and security — is thinking that the questionnaires and scans don’t matter,” he says. “If you don’t take it seriously, you’re asking for trouble.”