PCI DSS: Small Business Grand Designs
I have often felt like Kevin McCloud, the TV presenter from Grand Designs, when helping small businesses to understand the complexities of constructing a PCI DSS compliant payment card operations. You see, the PCI SSC provide these businesses with a comprehensive catalogue of security controls, upon which you are to construct your solid payment card operations. However, this catalogue covers a multitude of different methods of taking customers' payment card purchases:
Face to Face
This is like trying to build a property, with everything you could ever need being provided, but not even knowing what type of property you are seeking to construct.
Do you apply the structural requirements for a 20 storey block of flats, when you're only need to construct a bungalow?
What if you are seeking to build multiple types of building types?
Failure to identify the correct style of construct needed can prove to be extremely costly in terms of cost, wasted resources/time or poor construction (increasing the potential for compromise/data breach).
Consequently, it is essential that small businesses gain a greater understanding of the complexities of PCI DSS, as applicable to their company operations.
This can be done in 2 ways:
Bring in a consultant to mentor you through the construction.
Familiarise yourself with the various self-assessment questionnaires and align the most appropriate to your payment card operations.
If you are confident in your team's do it yourself (DIY) capabilities, then take a look at the option 2 and see how easy or complex this appears to you. However, remember that the safety and security of your construction is heavily reliant on your team's ability to correctly interpret which controls should be applied to each of your payment channels.
Should you have any doubts, then you still have the option to bring in an experienced consultant who is very experienced and capable of mentoring you through this process. However, be sure to carry out due diligence on your specialist consultants to ensure that they are duly qualified and experienced. Think of it like bringing in an architect, these can be from a professional institution (e.g. Royal Institute of Building Architects) or highly experienced and recommended freelancer.
Avoid bringing in any cowboys/girls!
Remember, as a lower risk merchant (e.g. under 1 million card transactions per year (unless stipulated otherwise by your Acquirer or the Card Brands)) you have the liberty of being able to validate your compliance using the SAQ format. However, should you get this wrong and you suffer a breach of payment card data, you will be deemed to be a higher risk and would require the your compliance efforts to be formally assessed by an approved qualified security assessor (QSA).
All high risk Merchants and Service Providers MUST use a QSA to validate their compliance to PCI DSS.
In summary, PCI DSS compliance can be extremely complex and difficult to achieve. However, there are a number of different approaches that you can apply based upon your risk appetite and the capabilities/experience of your team members.
Your choices are:
Bring in an approved architect (QSA).
Bring in a recommended freelancer (Security Consultant (ex QSA)).
Each of these options have their pros and cons, so you should create a business case for each of these options and decide which is the most appropriate for your business.