The Missing Piece In PCI: System Resellers

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

PCI compliance covers merchants, their service providers and the software applications both use. However, application resellers and system integrators—each of which plays a critical role in many retailers' security and PCI compliance—seem to have slipped through the cracks.

PA-DSS requires software providers to educate "customers, resellers and integrators on how to install and configure the payment applications in a PCI DSS-compliant manner." PA-DSS requirements also address actions resellers and integrators must take to ensure the implementation is PCI compliant. My questions are: Who is checking? And assuming the training is sound, who is checking that the actual tech rep fixing your POS system knows what she/he is doing?

"It is the merchant's responsibility to make sure they are asking the right questions" of their reseller/integrator, Executive Director of the PCI Security Standards Council Bob Russo said on Tuesday (Feb. 28).

In his comments Russo accepted that resellers/integrators fall into a "hole" between merchant and service provider definitions and that this is "an area we are looking at." He continued: Retailers "go to resellers thinking their problems will be solved. We [the PCI Council] are not an Internet destination for them." The PCI Council's most likely response will be to expand its already extensive—and growing—training initiatives to build PCI awareness among resellers and integrators.

Resellers and integrators sell, install and/or service payment applications for software vendors. They are responsible for implementing the application in a PCI-compliant environment, configuring it according to the PA-DSS Implementation Guide (IG) and maintaining it in a PCI-compliant manner.

To make sure all this happens, PA-DSS Requirement 13.2 requires software vendors to have training and communication programs so resellers and integrators know how to implement the application and its related systems and networks according to the IG and in a PCI DSS-compliant manner.

Appendix A of the PA-DSS spends seven pages detailing the implementation and maintenance requirements that apply to resellers and integrators. These requirements range from deleting old data stored by previous versions of the application to having unique IDs, managing encryption keys and implementing automated audit trails.

Good software vendors and their resellers/integrators take their responsibilities seriously.Good software vendors and their resellers/integrators take their responsibilities seriously, and they do their work well. But retailers need to do their part, too. For a start, get a copy of the IG from your reseller (or the software vendor), and then read it. If the IG is well prepared, any retailer should understand the instructions and see the risks of noncompliance. Work with your reseller/integrator, and have them demonstrate to you how they accomplish each step of the implementation.

If the individual installer is not familiar with the IG or its requirements, you, the retailer, could be at risk. Contact someone in authority at the reseller/integrator and demand a competent installer. Clients of mine have had bad experiences. There is no excuse for any retailer to have such an experience, and good resellers/integrators will remedy the situation immediately.

Are resellers/integrators themselves subject to PCI DSS compliance? From one perspective, they might be, because although they do not store, process or transmit cardholder data, by their actions they certainly can impact the security of each transaction. For example, if the payment application uses wireless (a common situation), the reseller/integrator must follow both PA-DSS 6.1—requiring changing the default password—and PCI DSS 2.1.—requiring a firewall. Another example is that no cardholder data should be stored on any Internet-accessible system (PA-DSS 9.1). In both cases, the reseller/integrator clearly can affect the security of the card data and may be considered a PCI service provider.

The difficulty is that most resellers/integrators do not consider themselves to be service providers. Retailers will not find too many of them on the Visa and MasterCard lists of PCI-compliant Level 1 service providers.

What this means is that it all comes back to the retailer. Retailers have to continue to take direct responsibility that their resellers and integrators accomplish their work in a PCI-compliant fashion. There is no way around it if the retailer is going to host a payment application.

What do you think? What is your experience with resellers and integrators? What has been their reaction when you asked if they were PCI compliant? I'd like to hear your thoughts. Either leave a comment or E-mail me at [email protected].