PA DSS: What To Do When Best Practices Become Mandatory
Written by Evan SchumanSeptember 18th, 2008
Guest Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.
What's the difference between mandates and PCI best practices? Best practices sounds nicer.
It's an important—and potentially the only—distinction that will be critical in less than two weeks. Just when you thought PCI was solidifying, when perhaps it was safe to swim again in your POS waters, there's a major PCI-related deadline coming up on October 1, and most merchants aren't aware of the details. That's true even though they've been given an entire year to get up to speed.
What's the difference between mandates and PCI best practices? Best practices sounds nicer.
It's an important—and potentially the only—distinction that will be critical in less than two weeks. Just when you thought PCI was solidifying, when perhaps it was safe to swim again in your POS waters, there's a major PCI-related deadline coming up on October 1, and most merchants aren't aware of the details. That's true even though they've been given an entire year to get up to speed.
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
3 Comments | Read PA DSS: What To Do When Best Practices Become Mandatory
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Ed
September 18th, 2008 at 2:14 pm
Come on David,
Most level 3 and 4 merchants do not have the technical bandwidth or financial resources to own the process or be directly involved with their vendor’s PA DSS assessment. We are talking about mom and pop business here. What is important is that they are not exempt and must deal with the new regulations. We need to help these merchants become secure and compliant. After all, they make up 80% of what drives our economy. The last thing we need to do right now is toss another road block in the way of small business. Let’s think economic recovery!
September 18th, 2008 at 2:50 pm
Good article but I do have to strongly disagree with the solution. The article states: “Merchants simply cannot assume that just because a payment application product is on some long list that there has been a thorough and complete review, comparable to a Level 1 merchant’s PCI DSS assessment. Merchants must review the detailed audit reports and even be directly involved in their vendor’s PA DSS assessment. Merchants must own this process, simply because they own the resulting liability and brand damage.â€
There are several problems with this solution. First, most level 3 & 4 merchants don’t know what PCI is other than some costly regulations being force on them by their merchant service provider and scared into them by various vendors. Second, even with the minority of merchants that truly understand PCI, only a very small percentage of these will be able to decipher a “passing†grade on a particular issue of a PA-DSS assessment report versus an excellent or poor grade. Third, with the larger POS providers, there are not enough hours in a day to educate every level 3 and 4 merchant on the intricacies of a particular PA-DSS assessment.
To tackle the level 3 & 4 merchants, merchants need a PA-DSS approved list to reference. Sure, in a perfect world, every merchant fully understands every aspect of PCI and more importantly, data security. But we don’t live in a perfect world. In our world, only level 1 & 2 merchants can afford full time data security officers that can dedicate the time and resources to audit and review every assessment of every application in use — level 3 & 4 merchants will need lists. Lists that not only comply with PCI, but also convey some assurance to the merchant that the software they are using is truly secure. We need to better control the quality of what goes on the list. The list should also provide a level of liability protection as well for the merchant. Otherwise I would argue that a PA-DSS assessment is a waste of money because it is useless to the parties it is labeled to help the most, the merchant and the cardholder.
September 18th, 2008 at 6:41 pm
The fundamental assumption here is that using a PA-DSS compliant application (by any Merchant) provides protection against liability and brand damage. ISSA just posted a report by Verisign (Hizner and Sundaresan, 10 Tips to HACK the PA-DSS Standard) showing how a compliant payment application was able to be compromised. The smaller merchants are at the mercy of the PCI standards council without a strong voice to advocate on their behalf and with even less knowledge about IT systems or code review. Passing the burden to these smaller merchants is not the prescription to this problem.