Lingering PCI Compliance Questions, Answered

Even MSPs with an admirable understanding of PCI Compliance still have enduring questions about the requirements, as set forth by the PCI Security Standards Council. Part of the reason for this (in addition to the standards being downright complex) is that the council evolves these requirements on a regular basis.

The progression of the standards is not arbitrary—if anything, it’s a purposeful action on the part of the council to keep up with an advancing threat of ever-more resourceful hackers. Malicious software purveyors continue to develop new ways to compromise data that can be stored on a merchant network, so the standards are frequently amended to address new challenges.

RapidFire Tools offered a live Q&A session at the end of our recent webinar, “The Next Big Thing for IT – PCI Compliance Services.” The presentation was conducted by RapidFire Tools’ special guest, PCI compliance expert Charles Hoff.

We thought it would be helpful to share some questions from attendees, and our responses. They explore some of the latest requirements, how international merchants are affected, the scope of organizations subject to the standards, the recommended frequency of scans, and more.

Q: Can you tell us about international changes in privacy as it relates to PCI? 

A: The PCI DSS is applicable to all merchants, even those outside of the U.S.  In fact, the PCI Data Security Council solicits input on its standards from stakeholders outside the U.S., as well as from within. However, enforcement has been stricter within the U.S.  It is expected that enforcement rates will increase in the U.K. and in Europe in the future.

Q:  Can you explain about the QIR Certification Program and Visa’s January 2017 requirement? 

A:  The program in question has been mandated by Visa. It applies to merchants that use service providers to install and maintain POS systems and software within the merchant environment, and it addresses the following concern:

POS providers often maintain remote access with the POS systems in their business merchant locations. Hackers have been using this remote access to install malware at merchant locations. In an effort to quell this troubling trend, Visa has mandated that as of January 31, 2017, merchants must contract POS providers that are certified as a “Qualified Integrator & Reseller” (QIR).  The QIR Certification Program is designed to help POS providers better understand data security responsibilities and practices within the payments system. Visa will maintain a list of QIR certified POS providers for the benefit of merchants.

Q:  With what frequency are merchants required to do internal scans?  

A: PCI DSS 11.2 calls for running internal and external network vulnerability scans at least quarterly, in addition to after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, or product upgrades). From a more practical perspective, it is highly recommended that organizations perform these scans on a much more regular basis, as in weekly or even daily, so that there is a more immediate awareness of when a new vulnerability occurs.  The company may simply document one of the quarterly scans as the “official” PCI DSS-required scan.

Q: Can you clarify which organizations in the retail ecosystem are potential subjects for a PCI Compliance program? Is compliance only applicable to the organizations that maintain the credit card information on their systems? Many merchants utilize POS systems that communicate with a clearing company via equipment that the clearing company provides. Is the clearing company also subject to PCI compliance?

A:   PCI compliance covers any companies that are involved in the acceptance, storage, transmission or processing of card data. Therefore, as an MSP, your PCI Compliance services could potentially extend to any of the following:

• A business that accepts credit or debit cards, even if they utilize a third party vendor’s hardware, software or applications to handle the payment
• A service provider that stores credit or debit card data on behalf of another business
• A hosting provider or other service provider that processes or transmits credit or debit card data on behalf of another business

We hope this addresses some of your lingering questions, as it did for our webinar participants, and helps you to take advantage of more market opportunities through network assessments. We’ll keep you informed about upcoming sessions on PCI and other compliance issues in our ongoing webinar training series.