Are You Out Of The Loop On PCI Compliance?
By Erin Harris, associate editor
We recently surveyed you, our readers, on your familiarity with payment security and PCI (Payment Card Industry) Compliance. I was impressed and encouraged by the number of respondents who have input/interaction with the payment processing part of the business (100%!). Ninety-four percent of respondents stated they are aware of the risk and financial consequences if payment information is compromised. In addition, 84% percent state that they are aware that every merchant that accepts card payments is required to comply with PCI requirements. Nearly 55% stated that P2PE (Point to Point Encryption) is something they’d would be interested in.
We also polled our readers about payment processing-related terms and their familiarly with them. We asked, “Which of the following terms/concepts presented in this survey were foreign to you?” Twenty-one percent of respondents were unaware of the term PCI; 30% were unaware of P2PE (Point to Point Encryption); 54% were unaware of SAQ (self-assessment questionnaire); and 51% were unaware that card data breach protection programs exist.
Since there’s some confusion about these terms, here’s some information that can help you understand the meaning and purpose of these terms.
P2PE
According to the PCI SSC (Payment Card Industry Security Standards Council), point-to-point encryption (P2PE) includes people, processes, and technology in place to encrypt and decrypt transmitted cardholder or sensitive authentication data. Encryption occurs at one designated and independently validated encryption device or location in a card transaction (the source or encryption point), and the data is subsequently sent as unreadable ciphertext for decryption to another designated and independently validated decryption device or location (the destination or decryption point). The data remains encrypted between the source and the destination, with no decryption of the data feasible at any point between the source and the destination. The presumption of P2PE is that cardholder data in transit is protected when it is encrypted to the extent that an entity in possession of the ciphertext alone cannot reverse the encryption process. To learn more about P2PE and what it means for your organization, click here.
SAQ
The PCI DSS (Payment Card Industry Data Security Standard) SAQ is a validation tool for merchants and service providers that are not required to undergo an on-site data security assessment per the PCI DSS Security Assessment Procedures. The purpose of the SAQ is to assist organizations in self-evaluating compliance with the PCI DSS, and you may be required to share it with your acquiring bank. There are multiple versions of the PCI DSS SAQ to meet various business scenarios. Each SAQ includes a series of yes-or-no questions about your security posture and practices. The SAQ allows for flexibility based on the complexity of a particular merchant’s or service provider’s business situation. The SAQ validation type is not correlated with a merchant’s classification or risk level. Click here to learn more about PCI DSS SAQ.
Starting From Square 1?
Before you take action on anything PCI-related, you may want to obtain background information and a general understanding of what you will need to do to become and remain compliant. The PCI SSC (Payment Card Industry Security Standards Council) offers a Documents Library on its website (www.pcisecuritystandards.org), which includes several resource documents designed to help you navigate the Standard. You can download a Quick Start Reference Guide, which is a convenient explanation of PCI requirements.
Finally, the July 2012 issue of Integrated Solutions For Retailers features a special report written by Bob Russo, the general manager of the PCI Security Standards Council. Russo’s article provides thoughtful insight around integrator and reseller interaction with your systems and what you need to know to safeguard your company from being breached.
What are your thoughts on PCI DSS? Talk to us about it here.