A PCI Holiday Wish List

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

As we enter the holiday season, it seems like a good time to put together my holiday PCI wish list. Unlike most lists you may receive, I am targeting each of my wishes to a particular party. And because it seems like a shame to exclude anyone, my PCI wish list includes card brands, trade associations, certain retailers and, of course, the PCI Security Standards Council itself.

It makes sense to start at the top, so I would like to ask the PCI Council to publish a full, one-year schedule of training sessions. The Council's training programs are excellent. Because of that, they are very popular and fill up quickly. As of this writing, the Council has not yet posted future training classes on its Web site. When that list is posted, my wish is that it be a complete schedule for all 2011 courses.

Planning a year out is difficult, and certainly I would understand or even expect changes to meet demand. But a full year's schedule lets merchants (and QSAs!) make plans and budget for the session and location that is best for them.

I'll risk being greedy by asking for a second present from the Council: an RSS feed on the Frequently Asked Questions (FAQ) page. The FAQ section of its new (and very informative) Web site addresses many questions for merchants and QSAs, and the Council committed at the recent Community Meeting to update it regularly. Unfortunately, most retailers and their QSAs cannot check the Web site for updates every few days.

The need for an RSS feed was raised at the 2009 Community Meeting in Las Vegas and again at the 2010 meeting. Many of us subscribe to Visa's RSS feed, which offers a choice of security- and PCI-related topics. Perhaps this could be a model?

Speaking of card brands, I have a wish-list item for them, too. It is one that will benefit thousands of retailers and other merchants. I wish brands would update the contract provisions of their new connected processors to make it easier for customers to comply with PCI DSS.

I'm referring to Requirement 12.8.2, which requires merchants to "maintain a written agreement that includes an acknowledgment that the service providers are responsible for the security of cardholder data the service providers possess." That merchants have difficulty meeting this requirement is not new news and hasn't been new news in quite some time. What is new is that merchants continue to have difficulties even when their processor is now connected to a card brand.

Therefore, my wish is for card brands everywhere to have any processing operations revise their contracts immediately to include language that complies with Requirement 12.8.2.

My holiday wish for the industry associations is to have them do more to help their members become PCI compliant. The PCI Council's training programs are excellent, but they only go so far. They deal with PCI in the abstract. What merchants need is training that builds on the Council's programs with more industry-specific, hands-on case studies of how real live merchants—retailers, restaurants, convenience stores, gas stations, hotels and software providers—implement PCI compliance.I run an annual PCI workshop for the Treasury Institute for Higher Education. We have a PCI deep-dive session, but the greatest benefit comes from the case studies presented by the people who manage their organization's compliance efforts. They describe what they did to become compliant and what it cost in both time and dollars, in addition to their mistakes and victories. We get great support from the PCI Council, and with the help of industry sponsors we manage to keep the cost surprisingly low. Attendees also love the opportunity to network with others who are facing the same challenges.

My holiday wish to industry and trade associations everywhere, therefore—you know who you are, because we all were in the same room at the PCI Community Meeting when I spoke about this topic—is to add value to your members by offering this valuable PCI training. The Institute's workshop is not perfect, but I would be happy to share the approach, agenda and anything else to provide a starting point.

Lest you think I am ignoring the merchants, I have a wish for all Level 2 merchants: Get started with your compliance validation now. As every Level 2 merchant should know, MasterCard requires a new validation regime to be completed by June 30, 2011, focusing on an outside assessment of your PCI compliance.

Level 2 merchants can meet this requirement one of three ways: Have a QSA prepare a Report on Compliance (ROC); send someone to the Council's Independent Security Assessor (ISA) training and have them sign your Self-Assessment Questionnaire (SAQ); or hire a QSA to sign your SAQ. The choice is yours. But whichever path you choose, my wish is that you get started right away.

June will arrive quickly. If your company doesn't have any ISAs on staff and you choose that route, I suggest you check the PCI Council's Web site daily so you can register quickly once the classes are announced (Hint: Maybe a Council RSS feed for training classes would be a good idea, too.). These classes are popular, and they fill up fast, so don't delay.

Alternatively, if you decide to have a QSA involved, start the search and contracting process early. I can just about guarantee a QSA—or an ISA—will question the compliance of some practices and you will have to do some remediation work. All of this takes time, and that is the one commodity you won't have. My wish for Level 2 merchants everywhere, therefore, is that they have their validation plan in place before they get to go on any holiday break.

My final wish is for merchants of all levels to get more involved with the PCI Council. If you are not already a Participating Organization, consider joining. You will get advance notice of changes and developments, the opportunity to have your voice heard and the chance to join a Special Interest Group. Plus, you even get a discount on training (see above).

Like hopeful children everywhere, I don't expect to receive everything on my list. But I hope that I will get at least some of my wishes. If I do, it will be a much happier holiday season next year—not just for me, but for everyone in the PCI ecosystem: retailers, brands, associations and the Council.

What do you think? I'd like to hear your thoughts. Either leave a comment or E-mail me at [email protected].