“PCI compliance” seems to be an ever-tightening noose around the neck of anyone that wants to accept credit cards as a form of payment and anyone that wants to process credit card payments for others. While I believe strongly in the mission of PCI compliance I believe it is easily misunderstood and almost always dreaded because of its complexity.

A recent example of PCI’s ‘casualty list’ is SunGard Higher Education, who beginning in October of this year will no longer be offering their Banner program, shifting the requirement of compliance to the service providers and not themselves. This program stored, processed and transmitted credit card information for colleges and universities, SunGard?s ending of the program is allowing their schools to remove this aspect of credit card processing from their quest for PCI compliance. The major credit card brands are making it clear that unless you are serious about processing credit card information they want you out of the business because it is too risky for them if you are not one hundred percent compliant.

Recently there have also been some instances of major companies being penetrated by ‘hackers’ and private financial information being compromised.  Were these companies PCI compliant?  If so, how could a company be PCI compliant and still be “hacked”?  The answer is that the protection of sensitive or private information is the job of everyone.  From the VP making operational decisions to the janitor that might find sensitive information in a trash can or to the sales clerk ringing up a sale at a cash register.  Everyone is responsible to follow the policies and procedures set forth by the security officer. As the PCI compliance officer at my company I realize that while I can write policies and procedures, I cannot monitor what everyone is doing. The job of the compliance officer is to make sure that reasonable steps have been taken to ensure the safety of sensitive information.

So what does this mean for a business that wants to use a company that processes credit cards?  How do you know that the company you have chosen to process your credit card payments is PCI compliant?  There is a list that is published by Visa called the Global List of PCI DSS Validated Service Providers (visa.com/splisting); the other major card brands also have their own versions of this list.  At first glance one would believe that being on this list means that it is safe to use one of these businesses.  Even the definition on the report would make one believe this was true “The companies listed below were validated as being PCI DSS compliant by a QSA”.  The confusion of compliance begins here. While the companies on this list are technically PCI compliant, that does not mean the same thing for each company. Being on the Visa Compliance list means one sector of a company has been through the requirements for certification and has passed. This does not necessarily mean the entire company is compliant. If we think about this it is quite scary. What if you sign up with a company believing they are PCI compliant to process credit card transactions for your business, and then you are ?hacked?? Your financial institution, the one you have established the merchant account with, will want answers about why you as a business did not make sure that the company you were using was not fully certified. Not the position any of us wants to be in should we be compromised by a hacker.

So, what do you do? You can call the credit card companies and ask them if the company you are considering using is on the list but you must make sure you are asking the right questions otherwise their presence on the list can be a bit misleading. How do you know when a company you are considering as a vendor is as compliant as possible in all areas of the business? Having just completed the process of making our company completely PCI compliant I can share with you the information I received directly from the individual within Visa that actually places service providers on their list.

There are two distinct steps that must occur if a third party agent wishes to appear on the Visa list.  First, you must meet all the PCI standards based on your “level”. The number of transactions the company processes in a given year determines their level. Once it has been determined that the company has met the required standards it is necessary for a bank or financial institution to perform an “audit” upon the financial information of that company.  Those two steps are what will get a service provider on the Visa list.  Yet it is important to note that unless the financial institution you use has performed their own audit, one, which looks specifically at the financials of the business, than that business, is not PCI compliant for you.  This is a critical point.  If you want to use a vendor on the compliance lists you should call your bank and ask if they have completed an audit on that company. Otherwise you may expose your business and your bank to higher fines from the major credit card brands should something happen.

It is also important to know that every PCI level 1 company has a monthly external scan performed to look for any new vulnerabilities. This scan is not as extensive as the annual audit that the service provider has already passed but it thorough enough to detect major weaknesses which may have arisen since the previous scan the month before. When considering using a service provider you should ask to see their yearly and monthly PCI certificates.

Lastly, having gone through several annual PCI audits, it would theoretically be possible to “omit” certain parts of your business from evaluation. One might do this if every application that touched credit card information was not fully PCI compliant.  While this would be unethical and is not condoned by JSA or the major card brands, it is possible. For example, lets say Company B owned and operated a payment gateway that other businesses used to process credit transactions from a credit card terminal. However, Company B also offers online credit card transactions for a web storefront. Company B could be on one of the lists published by a major card brand as being compliant for the payment gateway. Yet they did not inform their Quality Scanning Assessor (QSA) about the web storefront because they knew it would require additional engineering to meet PCI standards.

This means if you are using their website and someone gets into that website and steals the information, the card brands may hold your bank responsible and the bank could in turn hold you responsible. So, you see this company on the compliance list as does your bank but when any of the major credit card companies start evaluating the problem they find the company was not compliant for the website and therefore they have just jeopardized you and your business. The best way to find out if the company you want to use has been truthful with their QSA is to get a copy of their Report on compliance.  Also call their QSA and tell them exactly what you want to use the company for and ask if this is specifically what the compliance was for or if it was given for some other reason.

The whole process seems so overwhelming, and from our side, the company trying to become compliant, it can be sometimes. However, once you understand the process you will find it is not as difficult as it seems. I think about PCI compliance in this way, I would not want to visit a doctor who had not passed the state board exams, graduated from a reputable college or university and carried proper insurance. It is just not worth the risk. The same is definitely applicable to doing business with companies who are not PCI compliant in the category in which you are doing business with them. The financial institutions will be much less tolerant in the future should anything go wrong, so will parents and students. For most businesses it should be a risk not worth taking.