The Missing Piece In PCI: System Resellers
Written by Walter ConwayA 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
PCI compliance covers merchants, their service providers and the software applications both use. However, application resellers and system integrators—each of which plays a critical role in many retailers’ security and PCI compliance—seem to have slipped through the cracks.
PA-DSS requires software providers to educate “customers, resellers and integrators on how to install and configure the payment applications in a PCI DSS-compliant manner.” PA-DSS requirements also address actions resellers and integrators must take to ensure the implementation is PCI compliant. My questions are: Who is checking? And assuming the training is sound, who is checking that the actual tech rep fixing your POS system knows what she/he is doing?
“It is the merchant’s responsibility to make sure they are asking the right questions” of their reseller/integrator, Executive Director of the PCI Security Standards Council Bob Russo said on Tuesday (Feb. 28).
In his comments Russo accepted that resellers/integrators fall into a “hole” between merchant and service provider definitions and that this is “an area we are looking at.” He continued: Retailers “go to resellers thinking their problems will be solved. We [the PCI Council] are not an Internet destination for them.” The PCI Council’s most likely response will be to expand its already extensive—and growing—training initiatives to build PCI awareness among resellers and integrators.
Resellers and integrators sell, install and/or service payment applications for software vendors. They are responsible for implementing the application in a PCI-compliant environment, configuring it according to the PA-DSS Implementation Guide (IG) and maintaining it in a PCI-compliant manner.
To make sure all this happens, PA-DSS Requirement 13.2 requires software vendors to have training and communication programs so resellers and integrators know how to implement the application and its related systems and networks according to the IG and in a PCI DSS-compliant manner.
Appendix A of the PA-DSS spends seven pages detailing the implementation and maintenance requirements that apply to resellers and integrators. These requirements range from deleting old data stored by previous versions of the application to having unique IDs, managing encryption keys and implementing automated audit trails.
Good software vendors and their resellers/integrators take their responsibilities seriously.
-Marc
March 2nd, 2012 at 1:37 pm
As a follow-up to the column, I learned that Visa has a Best Practices document for resellers and integrators on their website. Retailers (and anyone) can go here and take a look at what Visa is telling resellers and integrators to do when they work on a merchant site: http://usa.visa.com/merchants/risk_management/cisp_alerts.html.
It looks like a very good list, and thanks to the SFBT reader who brought this to my attention. Merchants can use the best practices, too, to make sure they get all they are paying for.