Page 52 - GS140501
P. 52
Education
standards, it reduces PCI scope. Because it is so secure, a Risk calculation exercise
PCI-validated P2PE solution basically negates the need for
many of the security items required in a Self-Assessment Following is an exercise that may provide more insight
Questionnaire (SAQ). into your portfolio risk level.
E-commerce considerations Section 1: Check all that apply to your portfolio:
After including the brick-and-mortar factors already • hospitality merchants
discussed above, there is an issue unique to e-commerce. • retail merchants
Even though you don't have control over this factor, you • food and beverage merchants
should still be familiar with it. • health care merchants
• finance merchants
Right now, according to Feedzai, online shopping only • merchants not undergoing security training
accounts for 6 percent of consumer spending, which equals program
$343 billion out of the $4 trillion in retail purchases. So, • more than 20 percent PCI noncompliant
although CyberSource reported hackers were responsible • compromised merchants (past or present)
for $3.5 billion lost in e-commerce sales in 2012, it was a
mere drop in the bucket. This trend is likely to change • Total checks from Section 1
starting in 2015.
Section 2: Check all that apply to your portfolio:
Beyond 2015, e-commerce merchants will pose a greater • most merchants are L2-L3
risk than today due to the butterfly effect following the • most merchants are brick-and-mortar
mass adoption of EMV. Although EMV doesn’t directly • most merchants use PCI-validated P2PE solution
affect e-commerce, once U.S. brick-and-mortar merchants • most merchants use EMV solution
seriously begin the EMV migration, hackers will begin to • most merchants conduct quarterly vulnerability
focus their efforts toward the e-commerce industry. scanning
PCI compliance considerations • most merchants scan for unencrypted card data
• most merchants actually PCI compliant
You probably already guessed it was coming, but PCI
compliance is a big factor in your risk reduction. The more • Total checks from Section 2
noncompliant merchants you have, the higher your risk
of being affected by a data breach. No big news there. The Instructions: Subtract Section 2 total from Section 1 total
thing most acquirers and ISOs haven't done yet is figure to receive your portfolio risk score.
out how many merchants are actually compliant. In 2014,
Fortinet found that one in five small to midsize business Portfolio risk score
retailers are not PCI compliant.
-7 to 3: Good work. You're doing the right things
An easy (though not foolproof, and somewhat time to reduce your merchants' risk and increase their
consuming) way to estimate claimed compliance versus security! Statistically speaking, your portfolio has
actual compliance is by tracking how long it takes a a very low possibility of data breach.
merchant to fill out an online SAQ for the first time.
Merchants who spend less than 10 minutes on it are 3 to 5: Needs improvement. Your portfolio is on
probably racing through just to check it off their do lists. the right track, but there are many ways you can
If they spend a few hours or days on it, they're probably reduce risk. Have you started offering an EMV
being honest in the way they fill it out. But like I said, this is solution yet?
a somewhat unrealistic technique. If you try this method,
and the results don't meet your own PCI compliance 5 to 8: Yikes! Enforce compliance now! There's no
standard, you may wish to discover other ways to motivate easy way to say it: your portfolio probably has a
your merchants. high chance of data breach. But the positive news
is, there's lots of room for improvement! Start
Based on what I've just discussed, a risk-averse portfolio offering a P2PE solution in addition to a proven
with the lowest chance of data breach has no high-risk PCI compliance program to show that risk who's
industries (like hospitality, food, retail, or finance), and really in charge.
includes 100 percent PCI-compliant, midsize, and P2PE-
using brick-and-mortar merchants. Whew. Obviously, the
perfect statistical approach doesn't account for real life. Jake Young is Director of Business Development for SecurityMetrics,
and can be reached at jyoung@securitymetrics.com or 801-995-6340.
SecurityMetrics is a global data security and compliance company and
offers PCI compliance solutions for processing and acquiring entities.
52
standards, it reduces PCI scope. Because it is so secure, a Risk calculation exercise
PCI-validated P2PE solution basically negates the need for
many of the security items required in a Self-Assessment Following is an exercise that may provide more insight
Questionnaire (SAQ). into your portfolio risk level.
E-commerce considerations Section 1: Check all that apply to your portfolio:
After including the brick-and-mortar factors already • hospitality merchants
discussed above, there is an issue unique to e-commerce. • retail merchants
Even though you don't have control over this factor, you • food and beverage merchants
should still be familiar with it. • health care merchants
• finance merchants
Right now, according to Feedzai, online shopping only • merchants not undergoing security training
accounts for 6 percent of consumer spending, which equals program
$343 billion out of the $4 trillion in retail purchases. So, • more than 20 percent PCI noncompliant
although CyberSource reported hackers were responsible • compromised merchants (past or present)
for $3.5 billion lost in e-commerce sales in 2012, it was a
mere drop in the bucket. This trend is likely to change • Total checks from Section 1
starting in 2015.
Section 2: Check all that apply to your portfolio:
Beyond 2015, e-commerce merchants will pose a greater • most merchants are L2-L3
risk than today due to the butterfly effect following the • most merchants are brick-and-mortar
mass adoption of EMV. Although EMV doesn’t directly • most merchants use PCI-validated P2PE solution
affect e-commerce, once U.S. brick-and-mortar merchants • most merchants use EMV solution
seriously begin the EMV migration, hackers will begin to • most merchants conduct quarterly vulnerability
focus their efforts toward the e-commerce industry. scanning
PCI compliance considerations • most merchants scan for unencrypted card data
• most merchants actually PCI compliant
You probably already guessed it was coming, but PCI
compliance is a big factor in your risk reduction. The more • Total checks from Section 2
noncompliant merchants you have, the higher your risk
of being affected by a data breach. No big news there. The Instructions: Subtract Section 2 total from Section 1 total
thing most acquirers and ISOs haven't done yet is figure to receive your portfolio risk score.
out how many merchants are actually compliant. In 2014,
Fortinet found that one in five small to midsize business Portfolio risk score
retailers are not PCI compliant.
-7 to 3: Good work. You're doing the right things
An easy (though not foolproof, and somewhat time to reduce your merchants' risk and increase their
consuming) way to estimate claimed compliance versus security! Statistically speaking, your portfolio has
actual compliance is by tracking how long it takes a a very low possibility of data breach.
merchant to fill out an online SAQ for the first time.
Merchants who spend less than 10 minutes on it are 3 to 5: Needs improvement. Your portfolio is on
probably racing through just to check it off their do lists. the right track, but there are many ways you can
If they spend a few hours or days on it, they're probably reduce risk. Have you started offering an EMV
being honest in the way they fill it out. But like I said, this is solution yet?
a somewhat unrealistic technique. If you try this method,
and the results don't meet your own PCI compliance 5 to 8: Yikes! Enforce compliance now! There's no
standard, you may wish to discover other ways to motivate easy way to say it: your portfolio probably has a
your merchants. high chance of data breach. But the positive news
is, there's lots of room for improvement! Start
Based on what I've just discussed, a risk-averse portfolio offering a P2PE solution in addition to a proven
with the lowest chance of data breach has no high-risk PCI compliance program to show that risk who's
industries (like hospitality, food, retail, or finance), and really in charge.
includes 100 percent PCI-compliant, midsize, and P2PE-
using brick-and-mortar merchants. Whew. Obviously, the
perfect statistical approach doesn't account for real life. Jake Young is Director of Business Development for SecurityMetrics,
and can be reached at jyoung@securitymetrics.com or 801-995-6340.
SecurityMetrics is a global data security and compliance company and
offers PCI compliance solutions for processing and acquiring entities.
52
