Completing the PCI DSS Self Assessment Questionnaire does not mean your site won’t be breached.
Fact:
As a small business that processes, transmits or stores credit card data, you are required to validate your compliance with the PCI-DSS.
Fiction:
Validating your compliance with the PCI-DSS means that your data is protected.
Reality:
Validating your compliance with the PCI-DSS only requires you to submit 2 things:
1.) An annual Self Assessment Questionnaire (SAQ)
2.) A quarterly report from an Authorized Security Vendor (ASV) that you have passed network scans
However, there are no requirements that anyone ensures the information you submit in your SAQ is accurate and there is no guarantee that if you are compliant on day one, you will still be compliant on day two.
Think about it. There are over 200 questions that most businesses using an integrated payment application system must answer in the SAQ. As a small business, do you have the IT knowledge or staff to have the confidence that you know the answers to all of these questions? Do you know that your firewall is configured correctly? Do you even have a firewall? Do you monitor your log files to know if you have any suspicious activity on your system? If the answer to any of these (or the other 200 questions) is no, would you be tempted just to check a box to comply with the requirements from your processor and avoid fines?
The goal of the PCI Security Standards Council is to ensure that businesses are operating in a manner that protects their cardholders’ data. Given unlimited personnel, time and money, it would be realistic to expect that all small businesses would focus significant effort on ensuring that they understand each of the 200+ questions thoroughly before submitting their SAQ for compliance. However, resources aren’t unlimited and in fact are scarce these days. The reality is that most small businesses are only validating their PCI-DSS compliance when forced to do so by their processor. Even when they do, they are putting forth little effort in digging into the requirements and ensuring they are in place before checking the boxes in the SAQ. These practices do not lead to a secure environment.
Solution:
You need to think about security first rather than compliance. Security will lead to compliance. Compliance will not necessarily lead to security. Work with your IT vendor or solution provider to assess the state of security at your sites. Prioritize your investments to address any immediate threats or risks that may be present. At the very least, invest in a commercial grade firewall. If you can keep the criminals out in the first place, you’re reducing your risk considerably. When you better understand your current security environment, you will be better equipped to answer those 200 questions – truthfully and accurately.
If you are looking for additional information about data security or would like to sign up to receive newsletters with the latest updates, visit www.restaurantdatasecurity.com or www.retaildatasecurity.com.
Tags: data security, Executive, nasdaq: RADS, PA DSS, Payment Card Industry Data Security Standard, PCI, PCI Compliance, PCI Compliant, PCI Security Standards
