PCI DSS - A lesson from an expert

Chris Noell

Last week, I was on more Payment Card Industry Data Security Standard (PCI DSS) sales calls than usual.   It reminds me of a lesson I learned when I first started working with merchants on payment card compliance in 2003: providing effective answers requires security and payments knowledge.  For most of us, security is the easy part.  We’ve built a career as security professionals and it’s second nature to keep up with the latest developments in the security community.  However, when it comes to securing cardholder data and providing effective compliance advice, security knowledge is not enough.  It’s important to understand the mechanics of how a payments transactions is captured, processed, transmitted, and stored.  We have to understand the alphabet soup of service providers, ISOs, merchant banks, processors, gateways, etc that are involved in processing a typical payments transaction.  We have to be familiar with different payments technologies from the functionality of the payment application itself (e.g. if it stores data, its configuration settings, store-and-forward capabilities, etc) as well as utilities such as end-to-end encryption and tokenization.

 

When interviewing consultants, it’s important to keep both factors in mind.  Ensure you are getting a credentialed security expert (i.e. a consultant who is a Qualified Security Assessor and who possesses some other certification such as CISSP or CISA).  More importantly, ensure your consultant understands the payments process, particularly as it relates to your business.