by Jason McWhirr, IS Consultant
Not surprisingly, most retailers are focussed on their customers and sales, using the tools that best facilitate that, not on security systems to protect cardholder data – despite the hazards that a data breach could present.
Sysnet’s contact centre and acquirer support teams help retail merchants with their annual PCI DSS scoping and compliance questions on a daily basis, and therefore see the main issues that cause problems with compliance.
The most common issues are;
Un-segmented cardholder data computer networks
Retail companies generally grow organically and add stores as they progress. Computer networks in the new stores are important to ensure the tills and payment terminals are working and reliable, but the way they are connected is generally less so.
Inter-connected networks, back-end servers, PC’s, wireless networks, and remote support connections are sometimes necessary for the business, however, isolating the payment network from the non-payment network is a key part of reducing risk, and the merchant’s scope in PCI DSS.
Point-Of-Sale (POS) systems transmitting cardholder data
POS systems are used to take cardholder data, but the way they are implemented can create difficulties with PCI DSS guidelines. Non-PCI PA-DSS (Payment Application Data Security Standard) compliant payment applications, central POS servers, and poorly maintained/installed POS PC’s are amongst the reasons that compliance can be difficult.
Lack of IT (internal or external) and/or compliance resource/staff to implement PCI DSS requirements
As most companies understandably run at an optimum staff level, PCI DSS can create difficulties due to extra workloads and responsibilities in attaining and maintaining certification, never-mind the additional day-to-day controls and IT measures to meet PCI DSS requirements.
Depending on the business model, some functions/departments may be outsourced which can also cause issues when it comes to PCI DSS certification due to additional cost.
How can an acquirer help their merchant achieve compliance with minimal effort?
Whilst PCI DSS does try to enlighten retailers on what constitutes good security practices, it can be a time consuming and costly project which will vary by merchant, and payment systems installed
For some merchants it could mean making company-wide network changes to reduce their PCI DSS scope, and therefore less requirements.
For other merchants this may not be an option and all PCI DSS requirements would need to be met – a tough proposition for any organisation, large or small. For example, a merchant potentially eligible for SAQ C could make network changes to segment the retail POS environment from the rest of their network and thereby reduce their PCI DSS compliance requirements to those in SAQ C.
However the nature of their business operation, such as all store POS tills needing to communicate with a head office POS server, may mean that the isolation of the POS environment is not possible and the merchant is left to consider the SAQ D and all of its requirements.
There is potentially an easier way for many retail merchants to become PCI DSS compliant in the face-to-face channel – PCI-validated P2PE solutions.
Acquirers should help their retail merchants understand the security, compliance, and potential cost benefits of implementing a PCI-validated P2PE solution in their environments.
Benefits for a merchant include;
Simplifies PCI DSS Compliance
PCI-listed P2PE solutions reduce where and how PCI DSS requirements apply to a business. This saves time and money on overall compliance efforts without sacrificing the security of customers’ data.
PCI P2PE SAQ Questionnaire includes only 26 PCI DSS requirements
If a PCI-validated P2PE solution is verified and implemented correctly there are only 26 PCI DSS requirements (roughly 35 questions) to be met. This can be reduced further if the merchant using a P2PE Validated Solution does not have access to nor create any paper records (such as merchant receipts, mail order forms or reports) containing cardholder data.
For example, the twelve questions of requirement 3 and those in requirement 9 relating to paper records would not need to be applicable in that case.
Network segmentation not mandatory
Due to cardholder data being encrypted through the merchant infrastructure to the P2PE payment provider via a PCI-validated solution, there is no requirement to isolate payment devices from other merchant systems.
It would be up to the merchant to decide if this premium is reasonable compared to the additional time, money, and effort to comply with the full set of applicable PCI DSS requirements rather than the small subset that applies to merchants using PCI-validated P2PE solutions.
This saves IT resource and money on upgrading network infrastructure. It may however be necessary to segment payment networks for other payment channels, and is good security practice.
IT & compliance staff resource benefits
Reduced PCI DSS requirements means less IT and compliance team involvement – saving time and money.
Reduced cardholder data breach risk
Greater security measures help lower the risk of data loss and help protect the merchant’s brand reputation.
PCI-validated P2PE solutions do have a price premium due to the extra validation and security controls that are used to protect the devices and systems within the solution. It would be up to the merchant to decide if this premium is reasonable compared to the additional time, money, and effort to comply with the PCI DSS.
By encouraging merchants to implement PCI-validated P2PE solutions, acquirers are removing a large amount of risk from their merchant estate, whilst also supporting their clients with PCI DSS compliance.
A typical example that would benefit from a PCI-validated P2PE solution would be a merchant with a retail estate of POI devices connected to POS systems. Normally this type of PCI DSS scope would be at best a PCI SAQ C attestation (144 questions), but potentially a PCI SAQ D attestation depending on the merchant’s network infrastructure (332 questions).
By correctly implementing a PCI-validated P2PE solution, a merchant can reduce their scope significantly, saving them time and money on the things they don’t have to invest in and do to comply with PCI DSS.
If the merchant’s PCI-validated P2PE solution is installed as per its P2PE Instruction Manual (PIM), and all systems are verified to be PCI P2PE compliant, the merchant in this example could be able to attest via the SAQ P2PE-HW SAQ questionnaire – 35 questions.
What is P2PE?
A P2PE solution combines secure payment devices, applications, and processes, to fully encrypt and protect data from a merchant’s POI (Point of Interaction) device/terminal or POS (Point of Sale) system, encrypts the cardholder data, and transfers it via a secure tunnel through the merchant’s IT network to the 3rd party payment processor where it is decrypted, for authorisation.
Strong encryption is used to render the cardholder data useless to anyone other than the payment processor who controls the encryption and decryption keys.
PCI-validated P2PE Solutions
Originally, many vendors used their own P2PE standards in their merchant solutions. This quite often caused confusion when applied to the PCI DSS standard, so the PCI SSC created a new PCI P2PE standard to help clarify the requirements for all.
This standard was then used to enable the same vendors to create and sell PCI-validated P2PE solutions to retailers to help reduce their PCI DSS scope, increase security, and lower overall costs.
PCI-validated P2PE solutions have mandatory guidelines to protect the security of the system, which includes PCI-PTS certified payment devices, a P2PE-validated application at the point of interaction, secure key management, the use of a P2PE Instruction Manual (PIM), and a full device lifecycle history from manufacture to end-of-life disposal.
If you are a merchant that requires technical or PCI DSS help, please click here