With the new version of the Payment Card Industry Data Protection Standard (PCI DSS) taking effect this February, organizations – especially contact centers – cannot afford to wait to address their compliance initiatives. To share his take on today’s regulatory landscape and provide some best practices for complying with the PCI DSS, Jeff Hall, a Qualified Security Assessor (QSA) with Wesbey Associates, joins us for the next blog post in our “QSA Q&A” series.
With more than 30 years of experience in information security, Jeff began his career as a contract IBM mainframe systems programmer. In 2002, Jeff became involved with securing cardholder data when compliance programs were being run by Visa as the Cardholder Information Security Program (CISP) and MasterCard as the Site Data Protection (SDP) program. Of course, the CISP became the PCI DSS, and the SDP became the PCI Approved Scanning Vendor program. Jeff has worked with companies spanning vertical industries, including financial institutions, retail, distribution, manufacturing and healthcare. However, Jeff is most commonly known as the “PCI Guru,” a pseudonym under which he writes his own blog.
Semafone: Hi Jeff! Thanks for taking the time to speak with us. What are the key PCI DSS compliance challenges you see in today’s contact centers?
Jeff: Reducing scope is a challenge for everyone, but particularly for contact centers. The reason it can be a bigger challenge for contact centers is because they are not always in complete control of how card data is handled and processed by their personnel. This is especially true for outsourced or offshored contact centers whose processes and technologies are dictated by the business who contract with them. Often, these processes do not lend themselves to reducing scope.
S: In spite of these challenges, we often see companies delaying or putting off their PCI DSS compliance efforts. As a QSA, what are the most common reasons you’ve heard organizations give for delaying their initiatives?
J: The reason I hear time and time again, is: “No one told us we needed to be PCI compliant.”
PCI is driven by the banks and card brands, but their exposure to who actually processes, stores or transmits the cardholder data is limited to only those organizations with whom they have direct contact. In most cases, organizations have no exposure to anyone other than a merchant or service provider that interacts with them. As a result, it is the responsibility of any organization’s management to acknowledge that they are processing, storing or transmitting cardholder data and initiate efforts to comply with the PCI standards, and assess that compliance with the appropriate standard.
S: What about organizations that do not directly handle cardholder data?
J: Things get really sticky for organizations who do not directly process, store or transmit cardholder data, but have access to the systems or infrastructure that do have such access. The best example I can share is managed service providers (MSPs) that manage servers or networks for merchants or service providers that are in scope for PCI compliance. QSAs constantly run into organizations that are surprised when one of their customers reaches out to them for their PCI Attestation of Compliance (AOC) and they have no idea what the merchant is asking.
S: So, how can a QSA benefit an organization?
J: Once an organization identifies that it is in scope for PCI compliance, I highly recommend engaging a QSA to guide the organization through the start-up of that process so that the company can begin the process on the right foot. A QSA can also provide an ongoing PCI resource as the process continues and questions arise.
However, most PCI efforts go wrong when the organization tries to do it without any QSA guidance. In these cases, a company may become frustrated because it does not have the requisite knowledge and experience necessary to properly interpret the PCI standards and implement those requirements intelligently in their particular environment.
S: In your opinion, what are the top consequences of delaying PCI DSS compliance? We know that fees for noncompliance can range from $5,000 to $500,000 a month. And, if there is a breach, organizations may face an additional $50 to $90 fine per cardholder data compromised.
J: The biggest consequence of delaying is paying fines monthly for not conducting your requisite annual assessment. This is followed by suffering a breach and never having been through an assessment.
S: What is your best advice for those struggling to comply with PCI DSS or those who are procrastinating?
J: For any merchant, the best advice is keep it simple and implement solutions that minimize your PCI scope.
S: In your blog, you mention that organizations must go beyond the PCI DSS requirements to be fully secure. What additional steps should they take?
J: Any security program is only the bare minimum for being secure. The biggest step is to monitor your devices and networks closely, tune those monitoring systems to minimize false positive alerts and then follow up on all alerts. It is sad, but I still encounter security personnel that see an alert and then say, “Oh, don’t worry about that. It’s not a real alert.” My response back is always, “How do you know that?” But in the back of my mind, I am thinking if it is a false positive, why are your monitoring systems still generating it?
S: This has been great. Thanks for your time, Jeff.
To hear more from Jeff, check out his blog, “The PCI Guru.”