That’s right - the requirements are available for download from the VISA and MC Web sites.

Having said that - the PCI DSS 1.1 requirements are confusing and a mixed bag of countermeasures. Some are very sensible things like modifying vendor provided passwords alongside of some very archaic things like using anti-virus to mitigate “threats”.

This can result in a PCI auditor taking advantage of a merchant and overstocking them with security technology and professional services.

We know of one client who purchased a database firewall at the recommendation of their auditors (KPMG). They spent over Euro 100k on technology over 9 months ago that is still not fully implemented and for what - to prevent users from accessing the Oracle database with the production dba password. They could have and should have separated their test, development, staging and production environments and prevented developers from connecting to the production server with a simple firewall rule. That could have been implemented with a cheap Linux box running Centos and iptables for basically nothing.

The case with small merchants is that on one hand they don’t have the budget nor the mentality to spend although they have the most to lose in a security breach and as a collective group constitute the most significant source of vulnerabilities in the payment card network.

Clearly - there is a business case both for the card associations AND the small merchant to improve their security.

I’m skeptical about MS Word checklists and Euro15/month network scans as a means of attaining this goal.

I think it’s an insult to the intelligence of any decent business owner/manager. As an alternative, we suggest that the small merchant use Practical Threat Analysis to examine his own business situation, mitigate threats and comply.

This is what PCI is about really, at the end of the day.

There is a great deal of confusion about the idea behind the standard - namely, improving cardholder data security and not compliance for compliance sake.

If you’re a small merchant - you can do a self-assessment and be pro-active about security as well as cost-effective.

We have found that Practical Threat Analysis is a good way to understand the threats to a business and do a PCI DSS 1.1 self-assessment and keep it up t date. The application is available as a free download for all merchants - and we’d love to hear feedback from folks - you can download PTA PCI here - http://www.software.co.il/content/view/214/1/

Best regards
Danny

If you want answers to your questions from the people who train the auditors then mosey on over to: http://forum.aegenis.com/

This is the forum associated with PCIAnswers.com

It’s important to note that until you’re a level 1 merchant, you are only required to SELF-CERTIFY so audit costs are not an issue. However, should one take this as an opportunity to fudge the results and later have a breach, you’re on the hook not only for fines ($50k+) but also the cost of reissuing every compromised credit card (@ $35/pop). Although there is backpeddling on compliance deadlines, there is no backpeddling on the fines: compliance will happen for everyone because there are going to be some high-profile breaches that wind up bankrupting an acquirer.

For lockbox services, I came across TrustCommerce the other day which does exactly this. I will post my notes in an additional entry to give people a starting point in their own research.

If this is followed through it is going to fundamentally change the business of developing and hosting small e-commerce sites. For example, how many people now run Miva with MySQL on a single shared server? That won’t fly with PCI. It’s going to substantially raise the bar for providing such services (especially with even the cheapest single location audits running around $15k).

It will definitely be interesting to see how this plays out, but I believe in future that more people will offload the storage of credit card information just because PCI compliance is too onerous for most smaller businesses.

We’re actually thinking of developing a “lockbox” service to solve this problem - there are some out there, but nothing compelling yet.