If you're an MSP looking to offer PCI DSS compliance as a service, you first have to educate yourself on what it entails. Keep reading for a detailed explanation!
PCI DSS, which stands for the Payment Card Industry Data Security Standard, ensures all companies maintain a secure environment if they process, store, or maintain credit card information, regardless of their size or the number of transactions that they process. This set of requirements details the standards and necessary resources needed for a secure environment that is PCI DSS compliant. PCI DSS is a far-reaching standard—in short, any merchant with a Merchant ID must adhere to it. If a customer ever directly pays a merchant using a credit or debit card, then PCI DSS requirements apply.
PCI DSS was created to increase controls and reduce fraud with credit card data, in an effort to achieve self-regulation and avoid broad legislative action. It was designed by the Payment Card Industry Security Standards Council (PCI SSC; www.pcisecuritystandards.org), an independent organization created by worldwide credit card brands MasterCard, Visa, American Express, Discover and JCB.
Understanding, establishing and maintaining PCI compliance is a priority for nearly every business, and each should be properly educated on the level of compliance they are subject to in order to mitigate any punitive actions.
There are four PCI compliance levels, based on how card data is handled and the number of credit card transactions completed each year. PCI compliance has fewer requirements if a business processes 20,000 transactions or less per year, or if the card data is handled entirely by vendors— such as a shopping cart provider. The highest level of PCI compliance requirements are for companies that handle 6 million transactions per year or more, or those that write their own code, store card data and run their own servers.
Note that PCI DSS standards and EMV technical standards are distinct and separate. EMV compliance renders useless credit card data should it ever be compromised or stolen. PCI DSS is put in place to ensure that credit and debit card data is not able to be stolen in the first place. To accomplish this, PCI security controls are in place throughout each stage of the transaction process.
Account Data—In terms of PCI DSS, this refers to any and all cardholder data and/or sensitive authentication data.
Approved Scanning Vendor—A company approved by the PCI SSC to conduct external vulnerability scanning services.
Attestation of Compliance (AOC)—An annual form for merchants and service providers that is used to attest to the results of a PCI DSS assessment. This is necessary per the PCI DSS Self-Assessment Questionnaire or Report on Compliance. It may involve some or all of the following: delivering a self-assessment questionnaire, a regular network or site scan by an Approved Scanning Vendor, a compliance report by a Qualified Security Assessor, and the actual Attestation of Compliance form itself.
Cardholder Data Environment (CDE)—Processes, technology and people that transmit, process or store cardholder data or sensitive authentication data.
Merchant—defined as any entity that accepts payment cards bearing the logos of any of the five members of the PCI SSC—American Express, Discover, JCB, MasterCard or Visa—as payment for goods and/or services.
PCI DSS—Payment Card Industry Data Security Standard, a proprietary information security standard for organizations that handle branded credit cards from major card companies.
PCI SSC—Payment Card Industry Security Standards Council, a global forum for the ongoing development, enhancement, storage, dissemination and implementation of PCI DSS for account data protection.
Qualified Security Assessor—A party qualified by the PCI SSC to perform on-site PCI DSS assessments.
Self-Assessment Questionnaire—A PCI DSS reporting tool used to document self-assessment results from an entity’s PCI DSS assessment.
Service Provider—A business entity that is not a payment brand, but directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. For example, service providers may include companies providing services that control or could impact the security of cardholder data. Managed IT service providers would be considered service providers under PCI DSS if they provide such services as managed firewalls, IDS and other support. Service providers may also be considered merchants if the sold services result in storing, processing or transmitting cardholder data on behalf of other merchants or service providers.
PCI DSS started as five different programs: MasterCard's Site Data Protection, Visa's Cardholder Information Security Program, American Express's Data Security Operating Policy, Discover's Information Security and Compliance and the JCB's Data Security Program.
Each of these initiatives were similar—they created an additional level of protection for card issuers, ensuring that merchants met minimum levels of security when storing, processing and transmitting cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) was created and on December 15, 2004, these companies aligned their individual policies and released version 1.0 of the Payment Card Industry Data Security Standard (PCI DSS).
For MSPs, PCI DSS is at once a business responsibility and a business opportunity. Many managed IT service providers offer assessment tools and vulnerability scanning products to assist their clients with their PCI compliance needs. This can be a lucrative revenue stream, as the MSP can offer everything from PCI assessment and pre-audit services, PCI remediation services to help correct compliance issues for a client, and documentation and reporting services. Establishing an MSP practice as a go-to PCI compliance shop can be advantageous, and provide an additional way to prospect for clients.
MSPs often use a module that can run a scan of a client’s cardholder data environment, gathering data and establishing if they are currently PCI compliant. The module will then offer recommendations for steps needed or services to be enlisted to bring the client up to the necessary level of compliance. These modules can be a great way to prospect; by establishing the value and needed services the MSP can provide, an assessment module is a way to open doors to new clients—and new revenue.
Additionally, it is often necessary for MSPs themselves to be PCI compliant in service of their clients. As defined by PCI DSS, MSPs usually fall under the classifications of both service provider and merchant. If MSPs have clients that accept credit or debit cards and they work on the systems they use to store and process those cards, the MSPs are just as responsible for maintaining PCI DSS compliance as the clients are, because the MSPs and their technicians are entering a cardholder data environment—a secure space governed by strict PCI DSS policies.
Organizations that neglect to comply with PCI DSS face harsh and punitive consequences, which only increase with scope and severity. Failure to be fully PCI compliant can lead to higher credit and debit processing charges from the card companies, which is done with the intention to offset any actual or perceived increased risk to the card company. Severe negligence to enact basic controls can also lead to expulsion from credit and debit card acceptance programs.
Companies may also be subject to monetary fines if they experience a security breach and, upon investigation, are found to be noncompliant. These fines can range anywhere from $5,000 to $100,000 each month until all compliance issues are mitigated. Failure to resolve these issues may result in the revocation of card processing abilities.