GDPR may not exactly be a hot topic for most, indeed it’s take up so far had been sketchy with many organisations doing little or nothing, and businesses that have embraced GDPR often getting it wrong or failing to address the most critical areas.
When will GDPR become a regulation that businesses feel they must be complaint with, just like the other more established areas of law, Health and Safety, Employment Law, and if your business handles card data that favourite PCI DSS, or the Payment Card Industry Data Security Standard to give it it’s full title.
Don’t be confused though, PCI DSS isn’t law, it’s a ‘standard’ you need to follow and is enforced by the major card schemes including VISA, MasterCard and American Express.
In previous roles we got used to nursing large corporations through PCI DSS, 6 to 12-month programs involving entire teams, large budgets and Qualified Security Assessors. These organisations had to get it right and since quite a few were Payment Provider’s, client’s expectations were that they were fully compliant.
But if you aren’t a large corporation with a large budget, and if you aren’t compelled to have a QSA then how do you manage?
Over the last 2-3 years whilst we have been helping businesses unravel GDPR we have also provided advice and guidance around card payments. Recently a number of engagements have been purely PCI DSS related.
What we have found is that far from being all done and dusted many organisations are still struggling with PCI DSS.
How can that be?
Well first of all don’t let anyone tell you that PCI DSS isn’t complicated, and the complications start before you even get into the detail.
The dreaded, Self-Assessment Questionnaire (SAQ) choice – getting this wrong means you are not going to be compliant right from the start.
And if you err on the side of caution you might in the worst case be setting yourself up to answer 300 or so more questions than you need to.
It’s not even as if the SAQ’s are clear, yes there are guidelines on which one to choose, but it’s not that simple, you might think you should be using a particular SAQ but the way your IT is built and configured may well mean that SAQ isn’t the one you need to use.
And when you have the correct SAQ you then need to satisfy all the controls.
How should organisations approach PCI DSS?
If you do not have the skills within your organisation and most do not then get some advice, is the best advice we can give. It doesn’t have to cost anything, start with your bank or your acquirer (the place you get your merchant account from), it’s their responsibility to make sure you are doing PCI.
If they can’t help then try a 3rdparty organisation, you will find plenty of organisations offering QSA services, however this an expensive option if you don’t need a QSA, and if you are not a level 1 merchant then you do not need a QSA.
Most organisation who specialise in IT security will have expertise in PCI and will be a lower cost than a QSA. We are one such organisation but there are others.
Finally, you can talk to you IT provider, some know PCI but beware, many don’t, the last thing you need is to pay for the wrong advice.
The information provided in this post is for general information only and is not intended to provide legal advice.
© GDPR Auditing 2018.