Page 30 - GS131001
P. 30
ChapterTitleViews
the business with generalized SAQ responses that didn't match the merchant's Partnering for a win-win
IT environment. In addition, the merchant's payment processor pre-populated
portions of the SAQ, and those answers no longer aligned with the new POS When a forensic investigation is
system the restaurant had implemented. performed following a breach event
and the systems and controls in place
Since the processor and integrator played a critical role in assessing flawed PCI are not consistent with the merchant's
compliance as faultless, the court ruled in favor of the merchant and "shifted" most recent SAQ responses, every
liability to the processor and integrator. The case settled out of court for business entity that touched that
approximately $750,000. SAQ comes into question.
Tackling educational challenges As trusted merchant advisers, MSPs
must move away from a one-size-
The SAQ is far more than a one-time test; it's an invaluable tool, designed to fits-all approach to their merchants'
help merchants better understand the PCI DSS, pointing them in the right SAQ process so that the risks of
direction so they can regularly and critically evaluate their security controls unidentified and unaddressed
and identify areas for incremental improvement. security gaps are mitigated. Assisting
merchants with their SAQs or even
For small merchants, the PCI DSS may be the only information security- pre-populating certain items is not
related discipline they encounter. By not taking the time to understand their bad in itself; however, MSPs should
own environments so as to complete SAQs accurately, or by not reviewing and conduct due diligence to verify that
discussing the SAQ-related information provided by others, merchants miss the responses they are providing
out on the benefits that result from proactively assessing their own state of PCI align with merchants' current
compliance. environments.
Ensuring that the appropriate defenses exist and attaining PCI compliance MSPs can further minimize their
requires education and awareness of threats. Ignorance will provide neither liability by clearly outlining
MSPs nor merchants with immunity. security-related expectations and
responsibilities in their merchant
agreements, as well as facilitating
regular, multichannel merchant
communications and targeted
security awareness training.
Despite what may initially appear
to be an uphill battle, it is possible
for MSPs to effectively educate
and equip merchants with the
information and resources they need
to achieve true PCI compliance and
complete their SAQs to reflect that
achievement. In doing so, MSPs
empower merchants to control their
own security processes and grow in
their awareness and understanding
of PCI controls. What's more, MSPs
avoid the costly mistake of enabling
false-positive answers that could
come back to haunt them in court.
Chris Bucolo is Senior Manager, Security
Consulting at ControlScan, which deliv-
ers secure payment solutions to a global
network of merchant service providers and
the small businesses they serve. He can be
reached at cbucolo@controlscan.com.
30
30
