After discussing the new, more stringent PCI (Payment Card Industry) guidelines several times, including last month, let's dig even deeper. Two companies involved in both ends of the PCI process graciously talked to me about what one did to pass, and how the other evaluated its progress to get a passing grade on its assessment.
“Technically, companies don't undergo PCI audits, but PCI assessments,” said Rick Dakin, President and CEO of Coalfire Systems, a security group focusing on compliance assessment and management solutions. Audits have more stringent legal liabilities attached.
But don't get the idea a PCI “assessment” is a snap to pass, because it's not. Jeremy Segale is VP Operations for PaySimple, a service company specializing in auto-recurring billing, eChecks, online payments, and credit card processing. The company does so many transactions at such volume it is a Tier 1 Merchant and requires an on-site assessment. “We started on January eighth,” said Segale, “and the process was finalized March first.”
Segale made a 12 page worksheet, one for every major security area check demanded by PCI, and did an internal pre-audit. Those 12 pages contained 136 major points to check. Some security details were satisfied by the data center hosting their servers, such as physical server access restrictions to maintain data security.
PaySimple did a “gap analysis” before Coalfire arrived, said Segale, “just on a pass/fail basis for internal use only.” Things he hadn't considered, like “screen shots showing domain management of user access,” caught them by surprise on the first trip through the checklist.
Rick Dakin of Coalfire said his company started as an early ASP (Application Service Provider, the forerunner of Software as a Service) back before the Internet bubble burst. After it did, he focused on the security parts of the business and moved into compliance, which now takes 100% of the company's attention.
“The compliance business still needs a trained eye,” said Dakin, “and you can make it as a boutique firm in compliance management.” Coalfire has 40 auditors, plus support staff, in offices in New York, Seattle, and Boulder, Colo. “The Big Four accounting firms aren't in compliance because the PCI standards are not at AICPA (American Institute of Certified Public Accountants) levels.”
While Dakin can't give specific details about PaySimple's recent assessment, he had good things to say about what he saw. “PaySimple sees the need for cardholder security, and structurally changed the way it operates. Legacy systems are hard to secure, but PaySimple now has its own software and its first sustainable platform, which it integrates other software modules into.”
Even better, Segale and PaySimple started working with Dakin and Coalfire early on in the design process. “There's a 'design adequacy test' meaning if you do this will it work? PaySimple did that well. Its operating effectiveness tests went well because it built controls into the process from the beginning.”
Dakin said PCI goes into a high degree of specificity on firewalls, log files, and other security tools. Some industry audits only ask if the company has a firewall, but PCI auditors can read firewall rules and see network diagrams to verify proper firewall placement.
Since PaySimple handles transactions for its customers, such as gyms or schools regularly billing the same customers each month as well as standard credit card processing, it takes much more PCI “heat” and examination than its customers. Taking the next step, PaySimple provides information to help its customers go through the PCI self-audit process, and helps them understand what they can and can't do.
“We truly care for card holder security,” said Segale, “and we protect them in case there's a breach from MasterCard and Visa as well as the FBI.” Although people in business a long time find these new rules burdensome, Segale said “they do understand the new rules are there for a good reason.”
Let's hope PaySimple's customers don't fall into the fastest growing service area of Coalfire, which is forensic examination. “It's emotionally draining to see your customers get damaged,” said Dakin. In almost every case, “an ounce of prevention could have really helped lessen the damages all around.”
Dakin's parting words are aimed to stop people with a good compliance rating from getting to full of themselves. “There's a big difference between compliance and security. Even if you're compliant, you're not secure.”