We've been asked quite a bit about PCI-DSS recently. Our e-commerce clients have been receiving some quite conflicting information and demands from their merchant account providers so we'd like to give you some background information and explain what is required to be PCI-DSS compliant.
Firstly, what is PCI-DSS ? Those letters stand for "Payment Card Industry Data Security Standard" and it is an information security standard invented by the Payment Card Industry Security Standards Council to help reduce payment card fraud.
The idea is that all organisations handling payment card data should have standards and protocols in place relating to what they do with this sensitive information. If you're handling card data, you not only need to be PCI-DSS compliant but you must be certified as being compliant too. This certification should be done once a year. For smaller organisations handling lower volumes, it is possible to self-certify using a Self-Assessment Questionnaire (SAQ). You can download v1.2 of the PCI-DSS SAQ here.
While formalising procedures for handling sensitive data is important, there are real issues with this standard - the biggest problem is that it is open to interpretation. That's a big failing for a "standard". It has also left the door open for aggressive selling of products and services to "ensure compliance" and sometimes it is even the banks who do this.
Our clients use a whole spread of merchant account suppliers and each of them seems to ask something different to ensure compliance. While SAQs are accepted, Barclays is insisting that this is accompanied by a port scan provided by a partner company. Without it, they will charge you more; nevertheless, they will charge you for (a largely meaningless) port scan. Recently, one of our clients was advised by their merchant account provider to submit the SAQ and an attestation that they had passed a port scan - even though the provider in question knew that no port scan had taken place. Our concern is what would happen in the event of a security problem - who would take responsibility ?
Our understanding is that a port scan does not actually form part of PCI-DSS certification.
Our advice is to be cynical but cautious too. There is frequent fear-based mis-selling of PCI-DSS related services and you should not part with any money until talking to both your merchant account supplier and your payment gateway supplier. In a recent conversation with Sagepay, they recognised this problem and confirmed our point of view that a port scan is not part of PCI-DSS. Sagepay also pointed out that, for now, Barclays Merchant Services are the only UK merchant account provider who are charging extra for those who have not passed a port scan.
Having standards for procedures such as handling sensitive data is good business practice and serves well to protect business owners as well as their clients. The big weakness here is that those standards should not be open to interpretation.