Not long ago, Visa Inc. changed its policy on compliance assessments for the Payment Card Industry Data Security Standard (PCI DSS).
There are several movements afoot that may limit the number of merchants required to fill out these assessments and may reduce the amount of time spent by those still required to fill them out.
More specifically, Visa decided that a merchant that meets a certain set of criteria, including processing 75% of its transactions using "chip and PIN" enabled terminals would no longer need to undergo a PCI assessment. Unfortunately, not all merchants are aware of the change, and fewer understand what it means. In this tip, we'll not only explain the changes and their implications, but also cover ways in which all organizations can make PCI compliance a whole lot easier.
The end of the PCI assessment?
The death of the PCI DSS self-assessment would be welcome news to many security professionals who look forward to the annual exercise with the same level of enthusiasm normally reserved for tax audits and dentist visits. While we all appreciate the need for strict security controls around sensitive data, such as credit card numbers, we also dread filling out the lengthy self-assessment questionnaires (SAQs). For those who aren't familiar with the PCI DSS, merchants typically complete an annual SAQ as part of the compliance validation process. For most merchants, this SAQ is then submitted to their bank to complete their reporting requirement. The largest merchants are required to have an on-site assessment by a PCI Qualified Security Assessor, and typically use the SAQ to prepare for that visit.
With this Visa PCI compliance policy change, is the end of the PCI assessment imminent? We'll discuss the details of Visa's changes later, but it should be made clear right off the top that it's doubtful that the PCI DSS program will go away anytime soon, and the SAQs and on-site assessments are bound to remain an integral part of that program for years to come. That said, there are several movements afoot that may limit the number of merchants required to fill out the assessment forms and may reduce the amount of time spent by those still required to fill them out.
Clearly defining the cardholder data environment
The first of these factors is credit card merchants' concerted effort to dramatically reduce the scope of their card processing operations. When PCI DSS first appeared on the scene in 2004, many of us shuddered at the language defining the compliance scope as including "any network component, server, or application that is included in or connected to the cardholder data environment." With much wailing and gnashing of teeth, we debated what, exactly, it meant to be "connected to" the cardholder data environment.
Over the past few years, the industry has gone from interpreting this language as an intimidating requirement mandating inclusion of almost all enterprise computing activities within the scope of PCI compliance efforts, to an opportunity to construct and manage merchant systems more securely. To make PCI assessments less painful, many organizations now segment their cardholder data environments, siphoning off systems that touch card data from the rest of the enterprise network and limiting access to those systems to staff with an explicit need to access sensitive information.
This has had the net effect of reducing the scope of many PCI DSS self-assessments to a small, well-defined number of systems. It doesn't reduce the number of questions an organization needs to answer, but it limits the number of systems that must be considered when answering those questions.
Outsourcing card processing
One of the easiest ways to dramatically reduce PCI scope is to outsource major components of the credit-card-processing infrastructure, if not the entire card-processing operation. By choosing a certified service provider, entire card-processing components can be taken out of scope. In some cases, you can even completely remove cardholder data from the environment, ensuring that an unencrypted credit-card number is never to be found.
More on PCI compliance
PCI compliance in the cloud: Can cloud service providers manage PCI?
Does reducing data storage improve PCI credit card compliance?
When choosing a credit-card-processing partner, consider only certified PCI DSS-compliant service providers and monitor any partner's status to ensure that it maintains compliance during the contract period. Visa maintains a global registry of PCI DSS validated service providers; any potential partner should appear on this list.
Outsourcing card processing is one way to drive cardholder data out of enterprise systems and reduce the number of questions that must be answered when certifying PCI DSS compliance. The starting point for PCI DSS assessments is the full questionnaire -- SAQ D -- that contains 49 pages of questions. However, an organization can reduce this lengthy list of questions dramatically if it:
- Stops storing cardholder data. When there's no card data stored locally, an organization can skip down to SAQ C, which contains only 26 pages.
- Moves to a virtual terminal environment where card processing systems only use a Web-based interface a compliant service provider provides. An organization that uses this approach can move to the 23 page SAQ C-VT.
- Use only imprint machines or stand-alone dial-out systems. With this approach, a merchant can move down to SAQ B and needs only to fill out a 20-page form.
- Achieves true PCI DSS nirvana and outsources all card processing functions completely. Not all can do this, but those that can need only to answer the 15-page SAQ A.
Driving cardholder data out of IT systems and outsourcing components of card processing can dramatically reduce the time and effort needed to complete the SAQ. When combined with efforts to limit the scope of systems that must be PCI compliant, it's possible to significantly reduce the time spent performing assessments.
Using EMV terminals
It is possible, although difficult, to completely eliminate PCI DSS assessment responsibilities. Visa and MasterCard each recently released guidelines that allow merchants using the Europay, MasterCard and Visa (EMV) chip and PIN technology to bypass assessments entirely. This is part of their move to drive adoption of smart credit cards that include integrated security features.
Organizations that meet the following criteria may be able to apply for an exemption from PCI DSS assessment requirements:
- 75% of merchant transactions must originate from chip and PIN terminals (although there is no requirement for the percent of transactions that must actually use chip and PIN).
- Merchants must not store sensitive authentication data.
- Merchants must fully segment card-present and card-not-present processing environments.
- Merchants must not have been involved in a payment-card data compromise during the past year.
- Merchants must have validated their PCI compliance during the past year.
It's important to note that while an organization may not be required to assess its compliance, it must still comply with PCI DSS requirements. Also, while Visa and MasterCard have both agreed to begin this program in 2012, American Express's program will not begin until October 2013.
Overall, there's promising news on the horizon. As merchants become more comfortable with PCI DSS requirements and the scope of their environments, the PCI community is beginning to adopt a risk-based approach that reduces the burden on merchants not engaged in high-risk activities. Expect to see more changes along these lines in the future.
About the author:
Mike Chapple, Ph. D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
This was first published in July 2012