I have had many questions on the topic of compliance for Level II PCI Merchants that are transitioning from a SAQ (self-assessment questionnaire) to an On-site audit with a Report on Compliance (ROC). Many are concerned with the prospect that they are non-compliant with many of the controls and want to know what they should do and what risks they face.
The answer will depend on the merchant’s acquirer/processor (Chase, Fifth Third, etc) and their contract. Should the merchant find they are non-compliant, they will want to report their status to the acquirer. The acquirer will want to see a plan for how and when the merchant is going to remediate. They will be managed with regular touch points on progress. The acquirer will agree to a remediation date with the merchant. Beyond that date is usually increased contact and monthly fines, or the ability to process credit cards is terminated. Here is the latest on Mastercard’s fines:
https://www.storefrontbacktalk.com/securityfraud/mastercard-becomes-the-first-card-brand-to-publish-pci-fines/
The bigger risk is not having safe harbor protection while remediating. Should the merchant experience a breach and they are not compliant, they may be held responsible for the fraud on the cards and the re-issuing of cards from the card issuers. The contract language with the acquiring bank will spell out some of the liabilities. Many of the acquirers have been updating the contract language to have stronger language on compliance the liability. Another scenario is being shut off from the ability to process credit cards from that acquirer and the inability to get a new acquirer because they all require PCI compliance.
Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 Auditor
Partner
PCI DSS Requirements
PCI DSS Requirement 5.4.1: Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel.
Clarification on eCommerce Outsourcing PCI DSS requirements 6.4.3 and 11.6.1
Unpacking the New PCI DSS Password Standards
Is Your Organization Prepared for PCI DSS Automation – Requirement 10.4.1.1?
What is the PCI DSS v4 Authenticated Scanning Mandate – Requirement 11.3.1.2?
What is the PCI DSS v4.0.1 Requirement for PoLP – Requirement 7.2.5?
The New PCI DSS v4.0.1 Software Catalog Mandate – Requirement 6.3.2
How to Analyze An Attestation of Compliance (AOC)
PCI Compliance New Requirements and Targeted Risk Analysis (TRA)
RESOURCES & NEWS
Learn more about Penetration Testing and new exploits in HALOCK’s Exploit Insider.
The Dangers of Legacy Protocols
PCI Targeted Risk Analysis & DoCRA
https://www.halock.com/pci-compliance-new-requirements-and-targeted-risk-analysis/
HIPAA & Penetration Testing & Incident Response Plans
Top Threats in Healthcare
https://www.halock.com/top-cyber-threats-in-healthcare/
Cloud Security Risk Management
https://www.halock.com/prioritized-findings-and-remediation-in-cloud-security-reporting/
Penetration Testing Reports to Manage and Prioritize Risk
https://www.halock.com/a-threat-based-approach-to-penetration-test-reporting/
