As is the tradition, the PCI –Data Security Council (PCI-DSC) constantly changes regulations to keep up with an ever evolving cat and mouse game to protect credit card information from criminals and hackers. The latest change requires that a QIR -Implementation Statement be completed every time a retailer implements or changes their PA-DSS credit card processing solution.
This mandate requires that most changes to a merchant’s Cardholder Data Environment (CDE) can only be performed by a Certified employee of a QIR Certified Company. Thankfully, Paul Hudak at Smyth Retail has completed the certification so that we may continue to provide expert service as your software partner. As our QIR lead, he must be involved in the setup and configuration of all credit card processing and is sincere and excited about helping our clients better understand and implement sound security practices.
As a QIR Certified Company, our requirement is, when setting up credit card processing, to complete, and keep on file, a QIR -Implementation Statement, which amounts to a report card on the then-current state of the system’s security. We don’t have to send this report card home (i.e. the Council, or any of the bank card companies), but if you are ever breached, the forensic auditors will require that we share it with them.
What this process really represents is a security review of your credit card processing environment including requirements on how the system is configured and how security is implemented. Not only does this require a review of security issues and PCI’s 12 Requirements with you, the report requires that we actively confirm some of the security settings in place and identify any deficiencies according to PCI-Data Security Standards.
In preparation for installing, changing or updating your payment application, there are many items that need to be reviewed but a summary includes:
- A unique and dedicated Administrative account must be setup for the use by a QIR Certified installer.
- Confirmation that all default passwords have been changed (for all users on all computers and routers). Paul will need access to all systems to confirm these passwords are no longer used.
- Identification of network access including proper segmentation and security for the Cardholder Data Environment.
- Confirmation that all remote access is restricted and properly secured with two-factor log ins.
- Confirmation that software and security updates are being performed.
- Confirmation that anti-virus software is being used and up to date.
- Confirmation that system and software logs are turned on and properly archived.
- Review of the retailer’s Security Policies as required by the council.
- Preparation of the QIR Implementation Statement.
- A detailed review of the QIR Implementation Statement between the retailer and Paul is required.
Yes, this review and remediation of any exposed security issues will have some pain and some costs, but we believe the value is priceless – so are restful nights for the ownership! Our goal is to go beyond completing this paperwork to make sure the issues are properly understood and an action plan is identified when needed. In the process, the merchant will receive not only a completed QIR Installation Statement, but also a report of recommendations, best practices, and any weaknesses we identify above and beyond the security requirements (for example, confirming that backups are being taken).
We will identify gaps, provide a remediation plan if needed, and offer our best practices recommendations. When it comes to security, any evaluation is only based on a specific point in time. We expect that issues will be uncovered in the report, but there is no requirement (and it may not be practical) to fix every issue before the report is filed (it must be completed within 10 days of the actual installation). What is important is that any documented deficiencies are remedied as part of the retailers security policy as soon as possible. The nice thing about a PCI Report Card is that you can go back and fix your mistakes – in fact, the whole point is to initiate such a process for review. Security is never static!
PCI-DSS regulations constantly change to keep up with ever changing technologies and an ever evolving cat and mouse game to protect credit card information from criminals and hackers. Ultimately, the security and liability burden is the responsibility of the merchant to ensure that their business network is PCI compliant and that effective security policies are in place. The truth of the matter is that most retailers will ignore effective security until they are breached. Worse yet, it’s not a matter of if, but when, for those who aren’t vigilant.
