If you’ve recently come to the realisation that your organisation should look at PCI compliance as a service provider, you’re probably wondering how you actually get to the point of becoming PCI compliant.
While there aren’t a lot of PCI compliant service providers in NZ, that just means there are more opportunities for local companies. In fact, you can check the Visa Global Registry of Service Providers for a list of the compliant service providers in New Zealand.
How do I become PCI compliant as a service provider?
At a high level, the process of becoming PCI compliant as a service provider looks something like this (hint: it’s not a whole lot different than being a merchant and becoming PCI compliant):
- Understand what services you provide should become PCI compliant (you might not want or need to make everything PCI compliant at once)
- Figure out if you are storing cardholder data (and if you are, consider if you REALLY need to store it).
- Minimise your PCI scope by making sure that you segment any networks involved in your PCI compliance.
- Benchmark your compliance
- Fix and change things to reach PCI compliance
- Annual assessment
- Ongoing compliance
What services should become PCI compliant?
The services that you should include in your PCI compliance depend a lot on your line of business. So we can’t tell you exactly what parts of your business should look at compliance. But there are a few questions you can ask yourself:
- Do we provide a service that our customers use or could use in their compliance? For example:
- A call centre
- A web host
- A shopping cart site
- A mobile payment app
- Do we provide a service that our customers use for security? For example:
- Managed firewalls including web application firewalls
- Infrastructure services including server management
- Network management services
- Cloud-based log services
- Data Analysis
- Do we offer any services that there’s not already a PCI compliant service provider in NZ for?
- Are there any services we have that we’ve been asked about compliance for?
A lot of this will really depend on what it is that you do and who your market is.
Should you store cardholder data?
Next, work out if you are storing any cardholder data whether intentionally or unintentionally. While this won’t remove your PCI obligations, it will make your PCI journey much easier. Storage of cardholder data for business reasons is possible. But, it means that you will have to take steps to protect that data as per PCI requirements (typically a combination of encryption and key management processes). But by not storing cardholder data, and validating that you do not store cardholder data, you can easily remove certain parts of the standard from your scope.
You can store tokens, but you should make sure that they are protected, especially if they can be reused! You might not need to encrypt them, but you need to understand what data you are storing and where it is.
Minimise Your PCI Footprint
PCI doesn’t require you to segment your network. But that doesn’t mean that you shouldn’t. The biggest benefit of segmenting your network is that you can constrain your PCI compliance requirements to a particular part or parts of your network. If you don’t segment your network, the risk is that you will bring your entire environment into scope and you will need to apply all the PCI controls everywhere. Now, applying the PCI controls everywhere isn’t a bad thing (in fact, most of it should be considered as a good security baseline). But there are a few key benefits that come from network segmentation:
- Smaller PCI footprint
- Potentially lower assessment cost and faster assessment
- Potentially lower ongoing compliance costs for your team
So while segmentation controls have to be penetration tested as part of your PCI requirements, the cost of that will be less than the saving you make in your internal team’s time as well as your assessment time.
Benchmark Your Compliance
One of the best ways that you can help yourself is to understand what it is that you need to do as part of your PCI compliance and to review your compliance against these requirements. This is something that you can do yourself or that Confide can help with.
We would like to think that it’s no secret that the PCI standards including the testing procedures that QSAs have to use are available from the PCI Standards website. But we know that not everyone scours that PCI website in the same way that we do. So if you’re starting out and trying to benchmark your compliance, start with the Report on Compliance template and look at whether you are creating the outputs of the evidence that we need to review as part of an assessment.
If you need help understanding what the standard means and what it’s actually looking for, that’s where we can help.
Fix and Improve Your Environment
If you’ve found that you’re doing everything perfectly already, great! You’re probably off to a good start (though keep in mind that sometimes QSAs view things differently because of the training we have in how to do the assessment and our requirements).
Odds are good though that you’ll have found areas for improvement in your environment. Maybe you realise that you’re not keeping as good of track of changes as you need to be. Or maybe you realise that nobody has been getting those ASV scans attested.
View gaps in your compliance as opportunities for improvement rather than failings in your processes. And always remember that there’s lots of different ways to achieve the same goal so that you’re able to look at how you build the PCI processes into your own processes that already work for you.
PCI DSS is an annual assessment process. The type of assessment you need to do will depend on your size, the number of transactions that you process, your bank’s requirements, your contractual obligations, or even your internal assurance requirements. Service providers are divided into two levels:
|Service Provider Levels||Transaction Volume (Annually)||Assessment Type|
|Level 1||More than 300,000 transactions||Report on Compliance (RoC)|
|Level 2||Fewer than 300,000 transactions||Self-Assessment Questionnaire (SAQ)|
The key difference between merchant assessments and service provider assessments is that are certain requirements that apply only to service providers. Each of these requirements starts with either:
- Additional requirement for service providers only OR
- Additional procedure for service provider assessments only
The reason why there are some additional requirements for service providers is to provide an additional level of assurance since they are responsible for the data of multiple business and end user customers.
In Verizon’s most recent Payment Security Report, they estimated that in 2018 approximately 37% of global organisations were fully compliant with PCI DSS during an interim assessment. Now, the good news is that APAC does a lot better. And in that same time period, approximately 70% of organisations were maintaining compliance. PCI compliance has to be maintained year round.
Once you successfully complete your PCI assessment, compliance doesn’t end there. While PCI is only assessed once per year, your compliance needs to be part of your business as usual processes. In the most recent version of the Payment Security Report, Verizon noted that the most common requirements that were not in place at the time of a breach were:
- Requirement 3: Protect stored cardholder data
- Requirement 8: Identify and authenticate access to system components
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
- Requirement 12: Maintain a policy that addresses information security for all personnel
And the most likely requirements to contribute to a breach when they were not fully met were:
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
- Requirement 6: Develop and maintain secure systems and applications
- Requirement 10: Track and monitor all access to network resources and cardholder data
The common theme in the requirements that contributed to breaches were all ones where there is a need to maintain processes and systems so that they are managed consistently throughout the year.
As a result, maintaining compliance over time is key to ensuring that there is a smoother assessment in the coming year and that you minimise your risk of a breach. While PCI isn’t a silver bullet that will prevent a security breach, not maintaining compliance with a baseline standard can place you at a significantly higher risk.
As a service provider you’re responsible for not only the security of your customers data, but also your customers’ customer data. So maintaining a good security posture is key to providing your customers with the assurance they need when using your services.
If you’re a Service Provider who needs more information about PCI compliance and what that means for you, please contact us.