So Your Client Is Requesting You Help Them Become PCI DSS Compliant
What is PCI DSS?
I hope you’re not reading the title of this blog post and thinking to yourself, “PCI DSS? What’s that?” If you are, you can get the "what is PCI DSS?" question answered in one of our earlier blog posts.
PCI DSS stands for the Payment Card Industry. It’s a consortium of the leading payment card (credit and debit cards, for the most part) brands in the world: American Express, Discover, MasterCard, Visa, and Japan Credit Bureau. But those are just the founders. When we talk about PCI DSS, usually what we’re talking about is compliance with a set of regulations concerning data security that were created by this affiliation of payment card companies.
The reason I say I hope you already know about PCI DSS is because if you’re a managed services IT provider (MSP) and you have retail clients (or any clients that accept credit or debit cards, which is probably most of them) and they’re not compliant with the PCI DSS Data Security Standard (PCI DSS), they risk losing the ability to accept payment cards.
And here’s the kicker: You could be the source of their noncompliance.
Let me explain. One of the central tenets of PCI DSS is that any incursion into the cardholder data environment (any system that stores or processes cardholder information) must itself be compliant with the regulations of PCI DSS. That means if you go through an agent for remote access to your clients’ POS terminals or any other computer they use to store and process credit cards, you are piercing into the cardholder data environment, and thus, you are subject the rules of PCI DSS. If you’re not following the rules, you’re exposing your client to a significant amount of risk.
Helping Your Clients Become PCI DSS Compliant
But let’s get back to the title of this article. Hopefully, you already know this stuff, and if your client asks you to help them become PCI DSS compliant you can say, “No problem. We got this.” At least, from your end, anyway.
Helping a client become PCI DSS compliant on their end is a little bit trickier. Often, they seek out PCI DSS compliance after receiving a polite-but-firm warning letter from their bank or payment card service provider. (Note: it’s usually the service providers that suffer the direct penalties from the big payment card brands.) This isn’t a good sign. It means your client is non-compliant and needs to shape up in a hurry or it will lose payment card privileges. I don't think I need to explain that losing the ability to process credit and debit cards will cause serious harm to their revenue.
Your task at this point is partly one of education. Teach your client about the PCI DSS regulations, educating them on terms like advanced authentication (multi factor authentication), role based access control, encryption, strong passwords, and password security auditing.
Once they understand these concepts, it’s time to bring in the big gun: the solution that answers most, if not all, of their compliance concerns. I’m talking about a password management system.
PCI DSS Compliance and Password Management
As we write about in our latest eBook ("User Authentication and PCI Compliance for MSPs"), by implementing security requirements like advanced authentication, enforcing strong passwords, and restricting access to password information on a “need-to-know” basis, a good password management system goes a long way toward PCI DSS compliance.
By tracking and recording every time a credential is used or altered, such a system can also serve as a useful source of information should an audit occur. Logging accurate information for audits is another important aspect of PCI DSS compliance.
If you’re already using a robust password management system to maintain your own side of the PCI DSS compliance bargain, consider bringing the same capabilities to your clients. And, don’t wait until they ask.