By Natasja Bolton, Senior Acquirer Support QSA
Merchants with more complex payment systems or payment processes that do not fit into the shortened SAQs (A, A-EP, B, B-IP, C-VT, C & P2PE) are required to complete SAQ D or may require an on-site assessment (for merchants with larger amounts of transactions). These questionnaires can take extended periods of time for a merchant to complete as company payment processes, IT systems and service providers may need substantial changes to achieve compliance with the PCI DSS.
The PCI Council recognises this, and to help businesses working towards compliance they introduced the Prioritised Approach for PCI DSS. This document provides a roadmap for merchants to help them prioritise their compliance efforts in the most critical risk areas for payment card security. The focus of the approach is the protection of account data (cardholder data and sensitive authentication data), through achievement of security milestones that lower the risk of an account data breach.
In addition to the Prioritised Approach document, the PCI SSC also created the Prioritised Approach Tool. This is a worksheet that businesses can use to record the compliance status of each PCI DSS control and to document their progress. The Prioritised Approach is updated each time the PCI DSS is revised, currently version 3.2. The latest document will always be found here.
How does it help businesses?
The Prioritised Approach document establishes six security milestones, allocating each PCI DSS control to a milestone thereby aiding a business focus on addressing the highest risks to their cardholder data and systems. The matrix below summarises the high-level goals for each milestone:
The Prioritised Approach worksheet links the milestones (numbered and colour coded) to the PCI DSS requirements based on the PCI Council’s analysis of each requirement’s potential impact on or reduction of cardholder data risk.
The worksheet is designed to assist businesses complete an initial gap analysis of their cardholder data environment(s) and payment systems against the PCI DSS. Available answers for PCI DSS control status being either ‘YES’, ‘N/A’ (Not Applicable) or ‘NO’, with additional fields for explaining non-applicability and non-compliant controls. The worksheet can be used for project planning as non-compliant controls can be allocated an implementation stage (‘Planning, ‘Implementation in Progress’, ‘Implemented but Not Validated’) and an estimated dates for completion, with further space available for comments.
Information on the PCI DSS requirements is kept minimal with the labels only including the PCI DSS Requirement text. The worksheet does not include the testing procedures that appear in the PCI DSS or the sub-requirement questions from the Self-Assessment Questionnaires. For example, the worksheet includes Requirement 9.8.1 but does not include 9.8.1 a) or 9.8.1 b). Always refer to the actual PCI DSS document for more detailed guidance on a requirement and its intent.
The milestone-based prioritisation of the PCI DSS helps businesses develop a better understanding of how compliance can protect payment card data and minimise their risk. The worksheet includes a summary tab that displays collated percentage scores for each milestone allowing businesses to monitor their achievement of compliance and risk reduction by milestone:
The Prioritised Approach document is an aid for business on their journey towards full compliance with the PCI DSS. As the PCI Council noted in their recent blog: ‘Because it’s easy to get lost in the technical weeds, the Prioritized Approach keeps you focused on this goal [of securing cardholder data] with six clear milestones that provide a “roadmap” ‘. The Prioritised Approach provides businesses with a tool that measures their progress and risk reduction, which can be used to demonstrate to their acquirer and within their organisation the steps that they have and are taking towards PCI DSS compliance. It is ‘promotes objective and measurable progress indicators, and supports financial and operational planning’.
Note that the Prioritised Approach worksheet is a tool for recording and reporting PCI DSS compliance status and progress. It is not a PCI DSS compliance validation document and businesses will still need to undertake an assessment of all applicable PCI DSS requirements (formal assessment or self-assessment, as required) and complete their Attestation of Compliance.
How does it help an Acquirer?
It can be difficult for your merchant customers to know where to start with PCI DSS or they may be overwhelmed by all that the PCI DSS requires of them and struggle to articulate to you how they will achieve PCI DSS. The Prioritised Approach is a tool that can help those businesses record their compliance status and convey their plans to you.
As the PCI Council states: the Prioritised Approach helps businesses ‘demonstrate to [their] acquirer (merchant bank) that [they] are systematically lowering risk and pursuing security and compliance’. A completed worksheet highlights risk areas, and provides the business’ estimated completed date for each milestone.
Encourage your non-compliant merchant customers to utilise the Prioritised Approach, supplying the worksheet with their regular progress reporting. This not only allows you provide compliance status reports to the payment card brands in the format they expect, it also means you have consistent, comparable compliance status information for all of your merchant customers – helping you to focus your attention on those that appear to present the greatest risk to payment card data.
Sysnet.air has the functionality to help you manage and track the compliance of your larger, more complex merchants, including the prioritised approach reports you may receive from them.
Sysnet.air support can include the services of an assigned QSA from Sysnet’s Acquirer Support team. A Sysnet assigned QSA team can engage directly with your business customers to help them:
- Understand PCI DSS, its requirements, and relevance to their business.
- Walk through the business’ payment processes to understand how cardholder data is accepted, processed, transmitted and/or stored.
- Explore what is, and isn’t in scope for PCI DSS in each of their payment channels (Ecommerce, Face-to-Face and Mail Order/Telephone Order (MOTO)).
- Understand the PCI DSS implications of their current payment systems and processes.
- Consider options for reducing scope which may reduce the complexity and expense of compliance.
- Advise the business on risk reduction ‘quick wins’ and provide next step recommendations for their compliance journey.
The outcome of these engagements will be a clearer understanding of what the business needs to do to become compliant. Many times, this guidance is sufficient for them to confirm their payment channels’ eligibility for the smaller Self-Assessment Questionnaires and move directly to assessment. Other businesses with complex payment systems may need devote time to investigation, planning and implementation before they will be ready for compliance assessment. Sysnet always recommend the use of the PCI DSS Prioritised Approach for these businesses.