In scanning through my morning reading, I ran across this gem of a piece from Help Net Security. I'm really starting to wonder what is going on in the industry. This is seriously some of the worst advice I've seen regarding PCI DSS compliance in recent months.
"Jeff LoSapio, security practice manager for Fortify, comments: 'Smaller companies accepting card payments need to start thinking like larger scale companies. With cyber threats at an all time high they are increasingly a target and need to take PCI seriously.'"
There are so many issues with this. I strongly disagree with the assertion that small companies need to think like big companies. No! Big companies like to in-source their billing platforms. We do not want smaller companies thinking this way! If you're a Level 3 or 4 merchant, you should not be running your own billing platform. Period. End of story. If PCI were serious about solving this problem, they would not waste money investing in the DSS program and would instead blanket require that merchants processing less than 1 million transactions/year must outsource to a certified program. Problem solved, crisis averted.
"Only once you have confirmed your business requires compliance, and what deadlines are being imposed, should companies consider employing a PCI DSS consultant."
More bad advice (this time from the author of the article). Does your company accept credit card transactions on a system you maintain or operate (i.e. not a 3rd party site)? If the answer is yes, then your business requires compliance. Now go find a consultant who can help you reduce the burden in as cost-effective a manner as possible. Not getting a knowledgeable consultant in earlier than later is doing a disservice to your business and your customers, not to mention increasing your legal exposure and likelihood for being fined.
"Even then understanding the difference between a QSA (qualified security assessor) and an ASV (approved scanning vendor), is another key step along the road of better PCI compliance. Coupled with the array of fact sheets on the council's Web site, much of the process of preparing for PCI DSS compliance can be achieved before the need to employ a consultant arises."
Once again, advice that is questionable. The article speaks particularly to small businesses. In my experience, these organizations rarely have dedicated security staff. In fact, it's unusual to have anybody on-staff with much of a security background at all. DSS is written at a security practitioner's level, making it oftentimes difficult for non-security people to understand. Moreover, it's a very large document that easily overwhelms. Sure, PCI has provided supporting fact sheets and the like, but more often than not they seem to lead to confusion, shortcutting, quitting, or just an outright mess.
It cannot be said enough: if your organization is dealing with credit card data, then it is imperative that you contract with or hire someone to help you quickly outline your risk profile wrt DSS and chart a reasonable, feasible strategic plan to move to a compliant state. More often than not, this strategic plan should include moving the billing data out of your environment altogether in order to significantly decrease the exposure and potential liability that the business will then have to carry.
Dr. Evil: Gentlemen, I have a plan. It's called blackmail. The Royal Family of Britain are the wealthiest landowners in the world. Either the Royal Family pays us an exorbitant amount of money, or we make it seen that Prince Charles has had an affair outside of marriage and therefore would have to divorce!
Number Two: Prince Charles *did* have an affair. He admitted it, and they are now divorced.
Dr. Evil: Right, people you have to tell me these things, okay? I've been frozen for thirty years, okay? Throw me a frickin' bone here! I'm the boss! Need the info.
[pause]
Dr. Evil: Okay no problem. Here's my second plan. Back in the 60's, I had a weather changing machine that was, in essence, a sophisticated heat beam which we called a "laser." Using these "lasers," we punch a hole in the protective layer around the Earth, which we scientists call the "Ozone Layer." Slowly but surely, ultraviolet rays would pour in, increasing the risk of skin cancer. That is unless the world pays us a hefty ransom.
Number Two: [pause] That also already has happened.
Dr. Evil: Shit. Oh hell, let's just do what we always do. Hijack some nuclear weapons and hold the world hostage. Yeah? Good! Gentlemen, it has come to my attention that a breakaway Russian Republic called Kreplachistan will be transferring a nuclear warhead to the United Nations in a few days. Here's the plan. We get the warhead and we hold the world ransom for... ONE MILLION DOLLARS!
Number Two: Don't you think we should ask for *more* than a million dollars? A million dollars isn't exactly a lot of money these days. Virtucon alone makes over 9 billion dollars a year!
Dr. Evil: Really? That's a lot of money.
[pause]
Dr. Evil: Okay then, we hold the world ransom for...
Dr. Evil: One... Hundred... BILLION DOLLARS!