In 2004, when PCI (Payment Card Industry Data Security Standard) first came out, there was almost no guidance available. Jump ahead to today, and you can find numerous suggestions online and from the PCI Security Standards Council on how you should start your PCI compliance efforts when filling out a self-assessment questionnaire (SAQ.)
The problem I see with most of the guidance available today is that it tells business owners which of the 287 requirements they should tackle first from a risk perspective. For example, not having a firewall is considered more dangerous than failing an internal vulnerability scans. Therefore, most security experts would tell a merchant to take care of the firewall requirements before tackling the internal vulnerabilities at a location. The problem is that most small merchants, especially in small fast casual restaurant groups where there is typically no IT department, do not understand either technology, so they cannot start at all.
The typical result is that a merchant gets frustrated and simply decides to ditch the entire effort. This of course puts the merchant at risk if they suffer a credit card breach in the future, and it is not a wise course of action.
There is an alternative approach that seems to work with many merchants that keeps them from feeling so overwhelmed. The approach is simple, but sometimes the simple solutions work best:
Do as much as you can
Start the SAQ and answer all the questions you can. For a typical mom-and-pop restaurant, they will manage to answer about 10 percent of the questions (out of 287). The hard part on this pass is keeping a stiff upper lip and going through the entire questionnaire even though most of it will be skipped.
The next step is to organize the SAQ's into three categories -- Questions that my POS resource should be able to help me answer, Questions I need to do more research on my own to answer and Questions that I cannot answer without professional help. The first two categories are self-evident. There will be work to do, but the questions in the first two categories can be answered with internal resources. If questions fall into the in the third category, it's time to start looking at professional help. The good news is that there are many companies ready to help small merchants. The bad news is that those companies have a variety of services and the costs for those services can vary greatly.
Ask for help
Seek professional help if needed. Hiring the right company, and only paying for the services that fill the gaps in an SAQ can be tricky. A good first step is to interview several PCI security companies. After hearing their pitches, but before they supply quotes, send them the third category of questions -- the ones that required professional assistance. Ask them to base their quotes on those questions, and in particular, ask them to explain how their services can be used to fill in gaps in your SAQ. The benefit of this approach is that the security solution should be tailored to the needs presented, and in most cases, this decreases the total cost significantly.
PCI is not going away, and every merchant must become compliant. For those merchants who are not familiar with security, the task can be daunting. By breaking down what is already understood from the parts that are unclear, the task becomes manageable. Simply making the list more manageable is sometimes the best way to get started.
Bradley K. Cyprus has more than 20 years experience in the security industry. He manages the development of in-house solutions to validate compliance, and he is a resource that Vendor Safe customers can rely upon to help interpret the PCI standard.