IBM Systems Magazine, Power Systems - January 2018 - SE29
Sponsored Advertising Content
New Mandatory PCI Security
Reporting and Why You Haven't
Heard of It
Being in the credit card processing business, we are audited continually. So, we study
the industry and Payment Card Industry (PCI) security mandates constantly.
You see dramatic news items that overshadow other important alerts. Earlier this
year, the PCI Security Standards Council (PCI SSC) mandated that all merchants,
even the smallest, are now required to complete and submit a Self-Assessment
Questionnaire (SAQ) and Attestation of Compliance (AOC).
IRA CHANDLER - CTO
In 1993, Ira Chandler wrote the first
commercial card software for the
AS/400. Twenty-four years later, the
company is still dedicated to the
Previously, those at "Merchant Level 4," the lowest volume, were not required to.
These small merchants do less than a million total transactions and fewer than 20,000
e-commerce transactions per year. You may be one.
Not heard of this?
The people with whom you contract for card processing are banks. The PCI enforces
through the card brands (e.g., Visa, MasterCard, American Express, etc.) and the
only contract they have with the merchant is through the merchant account that the
acquiring bank has signed with the merchant. While banks/acquirers are interested in
security, they are ill-equipped to enforce PCI mandates.
What is the task?
As of Jan. 31, 2017, a merchant accepting credit cards is absolutely required to
complete an SAQ. If you touch the credit cards with your workstations and servers
in any way-regardless of storage-you must complete the SAQ "D". This 500-plus
question interrogation into your processes, systems and security can take months to
complete. It is accompanied by implementation of dictated policies and procedures.
What is the risk?
Even though your bank may not have demanded it, ignorance is no excuse if you
suffer a breach. So, as great as you think your security is, without the submitted SAQ
and an AOC signed by an officer of the company, you're patently in violation of PCI
requirements. This exposes a company to huge fines, lawsuits and re-issuance costs
for the card numbers stolen.
We present this to alert you not just to the mandate that you likely have not yet been
required to fulfill but also to the ever-increasing requirements from the PCI. If you touch
credit card data, or even employ remote tokenization technology, make sure someone
in your organization is tasked to monitor the PCI mandates. Better yet, find a trusted
partner with expertise who can assist. The pcisecuritystandards.org website has a list
of qualified security assessors that specialize in providing authoritative guidance on
ibmsystemsmag.com/buyersguide 2018 // 29