Qualified Security Assessor Sean Mathena gives us the inside scoop on PCI (Payment Card Industries) compliance and the rules you need to understand when accepting credit cards in your business, online or offline.
PCI compliance is about securing credit card information and protecting your customers.
Sean Mathena is a Qualified Security Assessor one of the most experienced Level 1 PCI assessors in the world. Your reputation and your business can be damaged or destroyed if you aren’t securing credit card data properly.
In this 18-minute episode Sean and I discuss:
- What is PCI
- The levels of PCI Compliance
- Who is responsible for being compliant
- How to make sure you’re compliant
- What happens if you’re not compliant or security gets compromised
The Show Notes
- Sean Mathena on Twitter (@forensicupdate)
- PCI Levels
- Level 1: 6 Million+ Transactions
- Level 2: 1 Million to 6 Million Transactions
- Level 3: 20,000 – 1 Million Transactions
- Level 4: Less than 20,000 Transactions
- Visa Global Service Provider List
- Self Assessment Questionnaire
- Stripe PCI
- Authorize.Net PCI
- Paypal PCI
- Square PCI
- Top 10 Misconceptions about PCI Compliance
How to Protect Your Customers by Understanding PCI Compliance for Credit Card Security
Voiceover: This is Rainmaker.FM, the digital marketing podcast network. It’s built on the Rainmaker Platform, which empowers you to build your own digital marketing and sales platform. Start your free 14-day trial at RainmakerPlatform.com.
Scott Ellis: Welcome to Technology Translated. I’m your host, Scott Ellis. Today, we’re going to be talking with PCI expert Sean Mathena.
PCI is the payment card industry’s set of rules and regulations governing how e-commerce websites, anyone really that’s transacting online, handles credit card transactions. If you have e-commerce and you are taking credit cards, listen up because this will directly affect you.
Sean Mathena, thank you for joining us today.
Sean Mathena: Sure.
Scott Ellis: Good to have you here. You are a, as I introduced you, as a Qualified Security Assessor. You’ve been doing that since 2005, correct?
Sean Mathena: Correct.
Scott Ellis: What exactly is that?
What Is PCI
Sean Mathena: Prior to the institution of PCI, all of the card brands had their own enforcement program. Then they decided they needed to bring it all together, so the PCI SSC, the Payment Card Industry Security Standards Council, was created. They created the certification of QSA, Qualified Security Assessor. Anyone that is going to perform a PCI assessment, a Level 1 PCI assessment, has to be a Qualified Security Assessor.
Scott Ellis: Okay. First of all, since we are here to translate for non-techies, tell us a little bit more about what PCI — we know what it stands for now, payment card industries — but what does that really mean? What does it mean to SMBs?
Sean Mathena: The PCI Data Security Standard, or PCI DSS, is a set of security requirements that the card brands have mandated that people have to comply with in order to accept credit card data. When you’re talking about a SMB, there are several reporting levels for PCI.
There’s Levels 1 through 4. Level 1s are mainly really large merchants, large service providers. Think maybe Exxon, Walmart. Then it goes down depending on your volume of credit card transactions. In order to be a Level 1, you have to take 6 million or more credit card transactions annually. SMBs usually fall somewhere between the 2 to 4, and those are reporting standards. It tells you the level at which you have to report. It doesn’t absolve you from complying with any of the requirements.
Scott Ellis: Okay, so the same requirements apply no matter what level you’re at.
Sean Mathena: Correct.
Scott Ellis: The level is just about reporting.
Sean Mathena: Correct.
Scott Ellis: Let’s talk a little bit about what those requirements are for PCI compliance. It sounds like it’s something that all of us that take credit cards need to be aware of and to comply with.
Who Is Responsible for Being Compliant
Sean Mathena: Correct. There are 12 major requirements that the PCI DSS is broken down into. Then those 12 requirements are broken down further into sub-requirements — ends up being somewhere around 250 individual requirements. When you’re talking about SMBs, though, going back to the reporting requirements, there’s several different self-assessment questionnaires, or SAQs, that an SMB would fill out depending on how they take credit cards.
For example, if they only take credit cards through a swipe device and nothing else, then they have less questions to answer about their environment. There are not as many things that could be compromised as if you were taking credit cards a number of different ways and it’s passing through a bunch of systems. While in theory, you are required to meet all of the requirements, there may only be a subset of requirements that really apply to you or apply to your environment.
Scott Ellis: Got it.
Sean Mathena: Those requirements extend everywhere from the network devices, to the applications, to policies and procedures, to incident handling, to security testing that has to be done on your environment. To be compliant at the Level 1, it’s quite an ordeal.
Scott Ellis: What does it look like a little further down the chain if I’m a 3 or a 4? I’m doing credit card transactions. I’d love to be doing 6 million a year. Was it a year or a month?
Sean Mathena: A year.
PCI Reporting Levels
Scott Ellis: I’m not there yet, so how onerous is it at that level?
Sean Mathena: At a Level 4, there’s two parts to it. There’s the scanning portion, which is scanning your external environment. That has to be done by an approved scanning vendor. Then there’s the actual attestation to all of the requirements. For a Level 2 through 4, they fill out a self-assessment questionnaire. They don’t have to have a QSA come out on site to do the assessment. They go through and they check it off themselves.
Like I said, depending on how they capture the credit card data depends on how large of an SAQ they have to fill out. It used to be there was one SAQ for everyone. A few years ago, they had broken it down. I think there’s maybe 6 now, 6 or 7, depending on how you accept credit card data. It goes everything from an SAQ D, which pretty much mirrors the PCI DSS, all the way down to an SAQ, I think it’s C-VT, where they’re using a virtual terminal, and there are maybe 20 questions they have to answer.
Scott Ellis: Okay. It doesn’t sound like it’s too bad.
Sean Mathena: No.
Scott Ellis: There’s probably SMBs out there listening to this right now thinking, “Oh man, I’ve never even done this. I don’t know. This sounds awful, but I have to do it.” It’s really not going to be too bad for most smaller businesses. What are the reporting levels? Do you know the numbers for moving down from a 1 to a 2, 2 to 3, 3 to 4?
Sean Mathena: I don’t know those offhand, but I can say, when you get down into the Level 3s and Level 4s, the banks who actually enforce this on their merchants, for lack of a better word there, they don’t have time to deal with all of their Level 3s and Level 4s. If you’re out there and you’re Level 4, which probably most of the SMBs would be a Level 4, and you’re doing something and you’re turning your SAQ in, they’re going to love you for it.
The whole goal is to make sure the credit card data is secure. It’s nice to be compliant, but it’s much more important to be secure. If you’re doing the right things security-wise, you should be good to go.
Scott Ellis: Okay. That begs the next question. If I take credit cards online — that’s all I do, let’s just start there to make it easy — and I want to make sure that I am compliant, where do I go to find out, just to get started to make sure that I am covering my bases?
How to Make Sure You’re Compliant
Sean Mathena: You can go to the Payment Card Industry Security Standards Council. You can Google it. It’s PCI SSC. I think it’s PCISecurityStandards.org.
Scott Ellis: Okay. We’ll find it and link it up in the show notes.
Sean Mathena: They have all of the self-assessment questionnaires out there. They have awesome directions and FAQs that can help you determine exactly where you fit in their compliance regime. You can get started there. Another good location is talking to your merchant bank representative. All of the merchant banks have a PCI representative that is there to help merchants comply with PCI.
Scott Ellis: What if I use a credit card processor for online transactions, like an Authorize.Net or Stripe? Do they help us meet those requirements? Do I have to work with them in some way outside of my bank? How do the gateways fit into all of this?
Sean Mathena: They will normally have someone that can help you with PCI compliance. The big push in the industry right now is just to get credit card data out of the merchant’s hands. A lot of the payment gateways, or even the acquiring banks, for e-commerce are doing some type of client-side redirect or iFrame presentation of where it’s capturing the credit card data, which takes it outside of the actual merchant’s environment. Depending on how it’s set up technically, it could take PCI out of scope for the merchant.
Scott Ellis: Okay, so it’s quite possible that, as a merchant, if I have one of those vendors — and nobody should take this as a blanket statement — but it is possible that, as a merchant, I may not need to worry about the PCI compliance issue if I’m not personally on my site capturing and processing those cards. Did I summarize that right?
What Happens If You’re Not Compliant or Security Gets Compromised
Sean Mathena: Somewhat, yeah. It doesn’t absolve you completely from PCI, but it would severely lessen what you have to do.
Scott Ellis: Okay.
Sean Mathena: If you’re accepting credit card transactions under your merchant ID, then you are responsible to meet PCI requirements. By having a client-side redirect, if you’re taking it over e-commerce, that takes a lot of your environment out of scope.
Another thing that we’re seeing a lot of really small businesses do is using something like PayPal or Square because they process the transaction under their merchant ID. Then the merchant ends up getting a check. It’s all about what happens if you’re compromised.
If you’re identified as what they call a common point of purchase for fraud where a number of people have made a purchase at your establishment and they’ve determined that fraud has been taking place, then you’re going to get contacted. They’re going to say, “Hey, we’ve identified you as a common point of purchase, and you need to have a forensics investigation done.” They’ll have a certified forensics company come out, do a forensics investigation to find out if you are actually compromised, and if that data was compromised at your location.
If you’re using a vendor such as PayPal or Square, then that would never get to you. They’re going to look at the merchant ID that it’s processed under. By doing that, you’re pushing that risk off to that vendor rather than holding on to that risk yourself.
Scott Ellis: Got it. Again, it’s important for everybody listening to keep in mind that this is really about protecting our customers and their information, their data, and their credit card numbers, and trying to prevent that fraud from happening. If I am a merchant, let me ask, is there a validation of some kind that I can show to people, on my website, for example, that lets them know that I am compliant?
How to Show Proof of Compliance on Your Site
Sean Mathena: There is. A lot of the QSA companies will provide a badge on your website that says that you’ve been validated. In order to get that, obviously, you have to hire the QSA company. They’ll either, if you’re a larger merchant, come out and do that assessment, or they’ll do the scanning, or they’ll accept your SAQ, review it, and get that badge on your website.
Scott Ellis: Got it. Again, the SAQ is the self-assessment questionnaire?
Sean Mathena: Self-assessment questionnaire, yeah.
Scott Ellis: Okay. Anything else in particular if I’m a merchant and maybe I’m just getting started or I’ve been taking PayPal, I want to start taking credit cards, that I should be aware of, that I should be thinking about as I’m going down that path?
How to Further Reduce Risk
Sean Mathena: I always tell, especially, my larger clients, there’s a few things that you need to do to really be successful. You need to identify where all your credit card data is — where it’s coming in, where it’s going out, what happens to it when it’s in your environment. Once you identify that, you need to take and get that credit card data to as few locations as possible.
If you have a flat network, which means that you don’t have any segmentation in place, you need to segment that credit card data off into its own little island of goodness, so it doesn’t infect the rest of your environment. Then, once you’ve got it all contained, then you need to try to get rid of as much of the credit card data as you can.
Just like I mentioned with the e-commerce merchants where you could do a client-side redirect where you never actually receive the credit card data, for brick-and-mortar merchants, you can use an end-to-end encrypting solution where, as soon as you swipe that credit card, it’s encrypted. It gets sent off to your bank or processor, and you never see that credit card data there.
There are a number of things that are out there in the marketplace that allow you to essentially get rid of that credit card data, thereby reducing the risk.
Scott Ellis: Okay. What about selecting my gateway or my processor? I’m looking for somebody that’s going to handle my credit card transactions. What are the things that I need to be looking for when I go out and I’m considering who I’m going to use to process those things so that I know I’m compliant in that respect?
What to Ask When Selecting a Payment Processor
Sean Mathena: Right. The first thing is money. How much are they charging you? After that, you want to talk to them about how much support they give for PCI compliance. Do they have someone that you can call with questions? Do they offer any of the solutions that I mentioned? Do they have a model that can take the credit card data out of your environment?
A little bit more background on PCI, the merchant can’t ever have anything done to them. Any of the fines are sent to the acquiring bank. Then the acquiring bank has to pass that on to the merchant. If the acquiring bank is providing a solution that is saying, “Hey, we’re taking this credit card data out of your hands,” then, obviously, they’re not going to pass fines down.
Scott Ellis: Right. Who levies those fines from the top?
Sean Mathena: The card brands.
Scott Ellis: The card brands do?
Sean Mathena: Yeah, and the processors or the acquiring banks are member banks, and they have the agreement with the card brands.
Scott Ellis: Got it. Okay. Again, anything else in particular I should look for with the vendor as I’m choosing somebody? Key words, red flags, or anything like that?
Sean Mathena: Obviously, you’d want to make sure, especially if you’re not going directly to acquiring bank, you would want to make sure that that vendor is PCI compliant. All of the gateways, they’re required to be PCI compliant as a service provider. You can find out if they’re PCI compliant online on the service provider list that Visa maintains. I’m sure we can get the link for that as well.
Scott Ellis: Yeah, we’ll definitely link out to that.
Sean Mathena: Then, like I said, just ask about the support, PCI compliance, from their end.
Scott Ellis: Okay. Yeah, I would think it would be clearly in the best interest of all of those providers to be PCI compliant.
Sean Mathena: Absolutely.
Scott Ellis: For anybody listening, it’s probably a pretty safe bet if you’re using somebody reputable like an Authorize.Net, a Stripe, or somebody that they’re going to be PCI compliant, but it’s a trust but verify type situation as well. Okay, Sean, that was very insightful. Thank you very much.
Sean Mathena: Sure.
Scott Ellis: Anything else you want to leave us with before we move on to any questions that people have? Any last thoughts on PCI compliance? If you could give people one or two bits of advice, what would it be?
Sean Mathena: I think I mentioned it earlier. PCI compliance is nice, but PCI does not equal secure. It’s good to be PCI compliant, but it’s much more important to keep the data secure. You don’t want to end up on CNN with your brand up there saying that you’ve lost a lot of credit cards.
Scott Ellis: Contrary to popular belief, not all press is really good press. That would definitely be one of those.
Sean Mathena: Exactly.
Scott Ellis: Okay. Sean, thank you very much. I appreciate your time today.
For anybody that wants to learn a little bit more, definitely just jump out to TechnologyTranslated.FM. On this episode, we will have show notes and links to all the things that we’ve mentioned today.
If you’ve got any follow-up questions after you hear this episode, as always, you can just Tweet, Facebook, Google+, LinkedIn, whatever you’d like. Just make sure you use the hashtag #asktechtrans. We will find your questions and answer them.
Thanks again, Sean.
Sean Mathena: Great. Thanks.
Scott Ellis: Technology Translated is brought to you by the Rainmaker Platform, the complete website solution for content marketers and online entrepreneurs. Find out more and take a free 14-day test drive at Rainmaker.FM/Platform.