You wouldn’t use a solicitor for your accounts, so why use an IT company for your PCI Compliance?
Using a PCI QSA company for your PCI Compliance – assurance for your business
PCI compliance is a requirement for all merchants taking credit card payments. Being compliant means that they have met the requirements of the Payment Card Industry Data Security Standard (PCI DSS) to protect card holder data whenever stored, processed or transmitted. This is important and getting it wrong can have very significant consequences, so why are some companies entrusting the process to their IT consultants if these lack both the specific qualifications and the appropriate experience to ensure clients are accurately advised?
In this article we look at the issues involved and explain why it is important and almost certainly much better value to use a qualified PCI QSA company to help deliver PCI Compliance.
Where does it start to go wrong?
There are different requirements for reporting against PCI DSS depending on what level merchant you are, and this is often where PCI QSA (Payment Card Industry Qualified Security Assessor) companies can see things start to go wrong, even with self assessment questionnaires.
We have found that many merchants are reporting at the wrong level. This is common because identifying the appropriate level can often be confusing, and depends on the number of transactions a year and the payment provider. A PCI QSA knows how you should be reporting, they will be able to identify your merchant level correctly and guide you accordingly.
The next thing that we frequently see is that the self assessment questionnaire is completed without truly reflecting the environment. This could be because the intent of the questions is not fully understood and may be answered incorrectly or as ‘not applicable’. There could be significant costs if it is found that your declaration is incorrect and you suffer a breach that results in the loss of credit card details. The outcome from this could be very expensive. A PCI QSA will be able to explain the intent of the questions and how this relates to your environment.
Why use a professional, qualified expert?
When we need legal advice we turn to our professional, qualified and experienced solicitors. They understand the law, they know where the pitfalls are, and they can guide us to make sure that we achieve the right outcomes.
Once we have engaged with a solicitor, and they guide us through tricky documentation and legal processes, we realise how little we really know! We also realise using their expertise saves time, worry and in the long term, possibly a considerable amount of money if things had gone wrong. They are constantly updating their knowledge and also, importantly have to have specialised indemnity insurance. An expensive requirement, but solicitors would not give advice without it.
So how does using a PCI QSA relate to using a solicitor?
A PCI QSA is also a professional qualified person, an expert in their field, who understands the intent of the requirements for PCI DSS, in the same way as a solicitor understands the intent of the law. They will be able to advise you of any weaknesses in your processes and systems which could expose your customer’s sensitive card data and they will be able to advise you on best practise.
They will always ensure that the standards they use are those required by their professional body. They have to undertake continuing professional development, and they have to have approved specialist insurance which meets the PCI Council’s requirements.
So when you ask your IT company or IT department to help you complete your PCI DSS self assessment questionnaire, be aware that they are often not experts in this field. Unless they are PCI QSAs they may not be qualified (or insured) to give you this specialist advice, and you may find that the responsibility, if it goes wrong, is all yours.
The majority of IT providers understand that this is a specialist area, and high risk for them to advise you on. If they are not aware of this, they may also not be aware of the requirements of the standard, and may unknowingly give you the wrong advice. Where does this leave your business if their advice proves to be incorrect and they do not have the appropriate specialist insurance?
> Start now! Need help with PCI DSS Compliance