For the past 2 years I have taken a very hands-on approach to PCI compliance. Often I’m right there with my clients as they go through their portal, answering questions, and doing network scans (if required).
PCI Compliance Components
There are two main pieces of PCI compliance – the questionnaire (SAQ) and the network security scan.
The questionnaire is a series of questions designed to get the merchant’s (you) attestation that you’re not being careless with cardholder information and that you have taken at least some basic measure to protect cardholder information from being compromised.
Typically, you are asked several questions before you are pushed into the correct SAQ for your business.
PRO TIP: Choose your questionnaire manually to increase your chances of avoiding PCI compliance fees (full list of questionnaires available here).
Topics covered by the SAQ (Self Assessment Questionnaire):
- What processing equipment are you using?
- How does your business handle the storage of cardholder information?
- How does your business protect access to your network (passwords, etc.)?
- Are you accepting EMV/chip cards or utilizing a P2PE (peer-to-peer-encryption) protocol?
Component 2: Network Scan
Depending on the answers to the questions posed in your portal, you may be required to embark upon the frustrating wasteland of a network security scan. This is where the PCI assessor (ControlScan, TrustWave, etc.) attempts to penetrate your network, looking for places bad actors can penetrate your network and compromise information stored related to cardholder information.
PCI Compliance Is Important. It’s Also Mainly BS
Look, we can all agree that protecting cardholder information is VERY important. Leaving piles of handwritten purchase orders on your table with full card numbers, expiration dates, and billing addresses is a terrible idea.
A company charging you a penalty for doing so is not going to impact your compliance and unless you have a good salesperson with whom you’re working, you’re not going to change the way you do things anyways.
The Dirty Secret of PCI Compliance
Every processor pays a third-party to manage their PCI compliance portal. There are a handful of providers out there and they charge anywhere from $1.00/month to $9.00/month for the service. It’s a good service.
Here’s the secret, are you ready?
You being non-validated or non-compliant does not cost the processor more.
There is no increased cost. In fact, your processor makes MORE money if you are not compliant.
Salespeople act the way they’re compensated. If your processor makes more money for you being non-compliant, guess what? They’re going to make decisions that make it harder for you to be “compliant”.
ControlScan and TrustWave are built to force you into non-compliance
Companies like ControlScan and TrustWave make their questions and resulting answers so complicated that most merchants have no idea how to answer them properly and thus are forced into a non-compliant fee scenario. Processors choose these two companies because choosing them and their garbage platforms make them more money. It’s simple really.
All PCI non-validation or non-receipt of PCI validation fees are is a stick used to punish you into acting the way the processor wants you to act.
It, for the vast majority of merchants, is a perfunctory task that you do so you don’t get in trouble. You know it has ZERO value to you as the business owner. You know that it doesn’t help protect your customers. You know that it’s almost completely pointless.
Sound familiar? A thing you do because you don’t want to get in trouble, but you know logically it does just about nothing?
It’s laughable really.
Restaurant PCI Compliance Example
Let’s say you own a restaurant.
You use a solid point of sale system with the latest in P2PE technology (Clover for example). This system is incredibly strong from a security standpoint.
It’s very difficult to penetrate and the readers are built into the main unit, so intercepting cardholder data is frankly nearly impossible and certainly not worth the effort of the gifted hacker it would require to be successful.
Your network is segmented – meaning you have one network set up for your point o f sale system and a completely separate SSID for your guest wireless.
You are doing great! Based on your questionnaire, you’re PCI compliant – if you take it that is. If you even know you need to do it that is. If you even know where to go, how to log in, which questionnaire to choose, and how often you’re supposed to do it that is.
Here’s the deal… you’re still not compliant.
Unless you are doing every transaction where the cardholder inputs their card into your system to pay, you are still technically not compliant.
The moment your server takes that card, walks away from the table, and compromises the physical security of that card, you are no longer compliant.
Sadly, like my kids going to school with masks in their pockets, PCI is a part of our life.
Having an expert to help you with this process and navigate systems actually designed to verify compliance instead of force you into non-compliance, then let’s have a chat.