Most merchants gave up trying to read their monthly credit card processing statements a long time ago because of how unbelievable complex most providers choose to make them.

For those merchants that occasionally look at them, they may be surprised to see a new ‘PCI DSS Compliance’ fee in the amount of $4 to $20 per month. This fee is a bit perplexing to me because the merchant account provider, in all the cases I’m familiar with, is not actually providing any product or service to the merchant related to PCI DSS Compliance.

If a merchant get’s breached, the Card Associations fine the acquirer and then the acquirer passes the fine down to the merchant. So while the Card Associations have put the responsibility on the processors to make sure that their merchants are compliant, the merchant is ultimately responsible for becoming compliant and paying the fines if breached.

So why again are merchant account providers charging businesses this fee?

The PCI Security Standards Council released version 1.1 of the PA-DSS today. The purpose of this program, which was formerly managed by Visa, is to ensure that software vendors and others that develop secure payment applications are not storing prohibited data and are complying with the PCI DSS. It applies to payment applications that are sold, distributed, or licensed to third parties.

Here are a few take aways:

• This fall the council will roll out a program to maintain a list of validated payment applications.
• The Council will begin qualifying companies to become Payment Application Qualified Security Assessors (PA-QSAs) who can perform PA-DSS assessments and audits. (see also this post on QSA’s)
• PA-DSS FAQ’s

Here is the entire press release:

I’ve been working with software provider in the restaurant space and one of the questions that came up was whether a restaurant can temporarily store the CVV2 value when taking a reservation to later charge the card if the customer does not show. The word from the PCI Security Standards Council has been that the CVV2 value can never be stored. There are however a few exceptions provided for merchants that have a need to ’store and forward’ the data.

I spoke to a few folks about this including Brian Serra CISSP, QSA from Accuvant and Michael Dahn at the Aegenis Group. For merchants that are given an exception to temporarily store the CVV2 value, there is always a limited number of days the data can be retained. It’s also ultimately up the specific merchant’s acquirer whether the practice will be allowed - as they bear the responsibility for the merchant’s compliance.

Most merchants mistakenly believe that processing a cardholder’s three or four digit CVV2 value for a ‘card not present’ transaction (e.g. ecommerce) will help qualify for lower credit card rates. The CVV2 value is only valuable to protect against credit card fraud and has nothing to do with rate qualification. CVV2 is most often confused with Address Verification Service (AVS) which can be used to qualify for lower credit card rates.

CVV2 stands for Card Verification Value and was introduced by MasterCard in 1997 and Visa in 2001. For ‘swiped’ transactions, the value is referred to as CVV1. Each of the card brands has its own acronym:

Visa: CVV2 - Card Verification Value
MasterCard: CVC2 - Card Validation Code
American Express: CID – Unique Card Code (and 4 digits)
Discover: CID – Card Identification Number

Merchants are able to configure payment processing systems to accept or decline transaction requests based upon the match or mismatch of CVV2 information. So for example, if a merchant creates a rule to decline all transactions where the CVV2 value does not match, the authorization request could be successful with the issuing bank, but the transaction will be denied by the merchant. Even though the transaction was denied by the merchant, the consumer’s card will still be authorized.

PCI DSS Compliance prohibits merchants from storing the CVV2 code. For recurring billing, merchants can accept and validate the CVV2 value during the initial authorization but cannot store it for additional transactions. After the initial validation, there really is no value in storing it.

Other Related Blog Posts
PCI Prohibits the Storage of CVV2 Data
PCI DSS Compliance Basics
Where do Credit Card Fees Come From?

We now have a downloadable SAQ A Version 1.1 that’s been completed by a QSA as if our outsourced PCI Compliance solutions were in place. If you’ve been in or about to get into the PCI trenches, you’ll be pleasantly surprised with the advantages and simplicity of this approach.

If you’re new to PCI Compliance, merchants are required to fill out a Self Assessment Questionnaire (SAQ). A SAQ is designed to be a validation tool and checklist of sorts.

Last month the Council moved away from a one size fits all approach that they had for years and rolled out four different SAQ’s that better address varied merchant environments (Here is a more detailed overview of the changes, SAQ’s, and other resources). SAQ A  Version 1.1 is reserved for merchants that outsource all processing, transmission and storage of cardholder data.

A White Paper on our outsourced PCI Compliance solution is now available.

Our solution helps merchants reduce the number of required controls from 200+ to 20 or less. This reduction translates into significant time and cost savings as well as increased security. Here’s a more detailed comparison of internal vs. outsourced compliance.

Security consultant Joel Dubin, CISSP, has written a helpful article for merchants that are seeking to become PCI DSS Compliant without engaging outside consultants. Here is an except (and the entire article):

Any company that accepts credit cards for its business is subject to the Payment Card Industry Data Security Standard (PCI DSS). As it is with other regulations, such as the Sarbanes-Oxley Act,the biggest component of being compliant is proving you’re compliant.

While it’s unlikely a credit card company would make the effort to catch a midmarket company in the act, it can cut a business off at the knees for noncompliance. A business can be fined, or worse — cut off completely from being able to process credit cards.

Better to have and not need, than to need and not have. PCI audit is something you can do without hiring an outside consultant. Your secret weapon: Documentation.

Auditors have a mystical attachment to paperwork, and if it isn’t in writing in front of them, they won’t see it. The only way to prove to an auditor that your company is compliant with PCI is to document every control required by the standard. In the eyes of the auditor, if a control isn’t documented, it isn’t compliant.

First, appoint someone to be the contact person for PCI auditors. This isn’t a full-time job and doesn’t necessarily even have to be someone from the IT department. The important thing is that this person has a sufficient background in IT and understands the technical terminology in the standard.

Next, go to the PCI Security Standards Council website and download three documents: the standard requirements, the self-assessment questionnaire and the security audit procedures.

Visa’s Fraud Investigations and Incident Management group released a data security alert for financial institutions. They’re cautioning that hackers are targeting web facing systems that may be vulnerable to breach to steal cardholder information and introduce malicious software (malware) into internal networks. Visa has documented the following successful penetration incidents:;

• Establishing continuous remote access to the internal network through a ‘back door’
• Compromising internal systems passwords using a password-cracking system
• Mapping the internal network infrastructure

They make the following recommendations to guard against these threats:

1. Failure to use a Network-Based Intrusion Detection System
Network-based intrusion detection systems (NIDS) are designed to monitor network traffic in order to distinguish between ‘normal’ network activity and ‘abnormal’ or ‘suspicious’ activity that may identify an attack. The early detection of a network compromise is difficult without adequate network monitoring and intrusion detection capabilities.

Risk Impact: Without the means to detect suspicious network events, network compromises can remain undetected.

Risk Mitigation: In conjunction with achieving full compliance with the Payment Card Industry Data Security Standard, and implementing a robust security monitoring strategy, deploying NIDS can detect and mitigate suspicious events. Suspicious events that may be symptoms of a successful compromise include:

• Unexpected outbound transmission of sensitive data
• Network connections originating from internal critical systems that would not normally communicate outside the network, including untrusted networks and the Internet (more…)

Add this post to other sites: These icons link to social bookmarking sites where readers can share and discover new web pages.

• 
• 
• 
• 
• 
• 
• 

The PCI Security Standards Council released the new 1.1 version of the Self Assessment Questionnaire (SAQ). The SAQ is a validation tool designed to help merchants demonstrate compliance with PCI DSS. With this release, there are are now four unique forms (SAQ A, B, C, D) that are designed to meet the specific needs of various business scenarios. Any SAQ submissions after April 30, 2008 must be completed using the new 1.1 version. Here are the four different versions:

• SAQ A: Addresses requirements applicable to merchants who have outsourced all processing, transmission and storage of cardholder data.
• SAQ B: Created to address requirements pertinent to merchants who process cardholder data via imprint machines or standalone dial-up terminals only.
• SAQ C: Constructed to focus on requirements applicable to merchants whose payment applications systems are connected to the Internet.
• SAQ D: Designed to address requirements relevant to all service providers defined by a payment brand as eligible to complete an SAQ and those merchants who do not fall under the types addressed by SAQ A, B or C.

Here is some other helpful information:

• PCI SSC SAQ Summary: How it All Fits Together - visual representation.
• Instructions for Completing the SAQ - helps determine which SAQ is appropriate for your business.
  
• Navigating PCI DSS - Additional information about the ‘intent’ of PCI as well as some helpful guidance.
• Frequently Asked Questions

Here is the entire press release:

I recently interviewed Brian Serra from Accuvant about Qualified Security Assessors (QSA’s). Brian is a CISSP, QSA and ISO: 277001 Lead Auditor. Accuvant is a security consulting firm that helps companies address complex information security challenges. The firms focus on four primary areas: Assessment, Compliance, Wireless and Security Technologies.

1. What is a QSA?

QSA stands for Qualified Security Assessor. It is a certification obtained by experienced security consultants to enable them to conduct the On-Site Data Security Assessment for PCI DSS Compliance. QSA’s are required to recertify every year by attending training by PCI and passing the exam. A recertifying QSA must obtain additional CPE’s from training and other experiences in order to obtain certification. Some QSA’s also maintain other certifications. For example, all of Accuvant’s QSA’s are also ISO 27001 Lead Auditors. I myself am certified as a CHSP (HIPPA). There are over 100 QSA companies and individual QSA’s must work for a company that maintains the PCI certification. In choosing a QSA, merchants will want to a firm that has similar processes/infrastructure as theirs.

2. What types of services do QSA’s provide merchants?

On-Site Data Security Assessments (PCI “Audits”), Gap Analysis, Remediation Services, General PCI consulting and advice. Depending on the size of the company and number of distinct credit card processes, most engagements will last somewhere between 2 and 6 months.

3. Are merchants required to work with a QSA to become PCI Compliant?

No, Level 2-4 Merchants and Level-3 Service Providers use the PCI Self-Assessment Questionnaire to self-certify. Level-1 Merchants and Level 1-2 Service Providers will require a QSA to conduct their annual On-Site Data Security Assessment. There is one caveat, an internal audit group can do the On-Site Assessment but the results must be signed off by an Officer of the company

4. What are the pros and cons of ‘doing it yourself’ versus hiring a QSA?

QSA - Pros: Third-party validation which proves ‘due diligence’ Cons: Costs money. But that is not is not to say more money. Companies may end up spending more money doing it themselves when including the cost of internal resources and diversion from other profit generating projects.

DIY - Pros: May be more economical. Cons - Difficult to get up to speed on all the PCI DSS requirements. Merchants may miss key areas or controls.
5. How much does it cost to hire a QSA and is it economical for all businesses?

It depends on how mature the compliance program is at the particular business. The cost to make an application PCI compliant averages about $100k.