A friend recently asked me to help solve for him a Payment Card Industry (PCI) riddle. Here is a sanitized and rewritten stub:
A competitor of ours is listed on Visa’s PCI list of validated service providers, but we know that they are not compliant with one of the PCI DSS requirements. We know this because we operate in the same business model and there is no way that they or we can do this one thing. My assumption is that this is a case of a Qualified Security Assessor (QSA) missing the boat. Is there any way that we could also get compliant?
To which I replied:
(1) You can always become compliant. (2) The details are not always what they may seem to you or your competitor. (3) Also, compliance validation is in part to do with the Acquiring Bank and or payment brand.
You seem to think you know everything there is to know about your competitor but in all likelihood you do not – nor are you a beautiful and unique snowflake that deserves special consideration. Nuances unimportant to you may have a big impact on compliance. I’ve heard this argument before – if they do it why can’t we? The answer is because you know better.
Also, your competitor’s acquiring bank or validation entity may permit them to operate in a certain capacity based on factors unknown to you. My advice is to talk to your acquiring bank or payment brand and ask them to work with you on a solution. If you don’t want to do that it’s because you know the answer you will get and just don’t like it.
Of course there are work arounds. My latest mantra of compliance has been to stop teaching people how to comply and instead teaching them how to develop a risk management program with compliance a natural byproduct rather than an end goal.
To do this you need to know what rules you need to obey, which you can bend, and which you need to work around. Here is a short list of work arounds.
- Compensating controls
- Segmentation: network, operational, physical, role based
- Tokenization or data surrogacy
- Scope reduction
- Point-to-point encryption
- Remove the data
- Truncate or mask the data
The list goes on.