2

i run an organic food store, and after a conference call with my credit card service (card connect), do i really have to hire a PCI certified professional once a year in order to be pci compliant? If this is the case, how much does it cost?

Or am I just misreading things, i don't think any "cyber criminal" is going to target my business. NCR Silver handles all my credit card transactions.

thinksinbinary
  • 149
  • 7
  • https://www.ncrsilver.com/what-is-pci-compliance/ – they Feb 16 '19 at 02:59
  • 1
    "i don't think any "cyber criminal" is going to target my business." Wow. – Joseph Sible-Reinstate Monica Feb 16 '19 at 03:46
  • 5
    To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business. – Ed Grimm Feb 16 '19 at 04:01
  • @they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me. – thinksinbinary Feb 16 '19 at 04:06
  • @thinksinbinary: All merchants that takes card payments have to be PCI compliant. Using PCI compliant payment processor doesn't make you PCI Compliant, but they can reduce the scope of your PCI compliance. You still need to do a PCI-SAQ, which is pretty simple to do if you use a processor. Note that PCI compliance isn't law, but if you aren't PCI compliance and you are suspected to cause a data breach, your bank will impose very heavy fines and no banks will allow you to process cards if you're black listed. Completing your PCI compliance reduces your liability if you are involved in a breach. – Lie Ryan Feb 16 '19 at 04:18
  • 2
    There are different levels of compliance depending on your volume. I'm not very up to date with PCI DSS but from memory levels 3 and 4 you can self-certify – paj28 Feb 16 '19 at 08:07
  • @thinksinbinary Here is another question that is similar in nature. https://security.stackexchange.com/questions/67484/pci-compliance-if-not-storing-or-transmitting-credit-card-data From what I recall working in retail, our merchant account provider would do audits periodically overnight. I'd think if you complete those, run your credit card transactions on an isolated network, and don't store any customer/payment info (why would you..??), you should be in compliance. – they Feb 16 '19 at 16:20

4 Answers4

12

If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring an external/independent PCI qualified security assessor.

However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is primarily based on the volume of your expected transactions, mechanism you integrate with your payment processor, and how you handle card data.

Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.

Lie Ryan
  • 31,459
  • 6
  • 70
  • 94
1

Do you need to be cautious about security? If you are using POS(Point of Sale system) a simple reason could be; This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time. Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.

How much does it cost? Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.

Vcode
  • 866
  • 1
  • 6
  • 9
1

i run an organic food store, and after a conference call with my credit card service (card connect), do i really have to hire a PCI certified professional once a year in order to be pci compliant?

You probably do not need to hire a PCI certified professional, because unless you're a particularly large organic food store, you are likely small enough that the Self-Assessment Questionnaire will suffice. (The caveat being that your processor may compel you to have an audit instead of an SAQ, but that would usually only be the case for a small merchant who had a history of compliance problems).

If you've never gone through the process, then hiring an auditor at least once is a good idea. They can help you understand the issues so that handling the SAQ will be easier for you in future years. They can point out security issues that the SAQ might not make apparent to you.

If this is the case, how much does it cost?

That varies widely by the size and location of your business, and by the individual auditor you might engage, so it's impossible for us to say. The standard advice of "get multiple quotes" applies.

Or am I just misreading things, i don't think any "cyber criminal" is going to target my business.

If you handle cards, you are a target of opportunity. They may not know or care who you are, but they'll hit you nonetheless. It's not about your level of profit, it's about the fact that customers hand you cards, and each card represents thousands of potential dollars, and a useful smaller amount of real dollars to the attacker who sells it down the line. PCI DSS is not about employees, it's about infrastructure and practices to protect the cards that have to flit across your business on their way to the processor.

Sure, NCR does a lot to protect the cards - but a necessary step, imposed by the card brands, is to make sure that Merchants do their part also.

gowenfawr
  • 72,893
  • 17
  • 165
  • 200
  • well this is the thing, my organic food store barely makes a profit, i pay all my employees in the area a decent wage. The thing that bothers me about this is that none of the pci compliance sites are explicit about what they are protecting you against. The issue with internet security overall is that some [robot] has to get the credit card information along the way, we can start scanning employees pockets when we process their credit card payments. I would think that NCR imposes really good security measures on their credit card processes. And no, its obvious that we don't store the info – thinksinbinary Feb 17 '19 at 01:31
  • 1
    @thinksinbinary: NCR may have good security measures, but processors are not the ultimate target of responsibility of the audit, merchants are. You should contact NCR and ask them for advice on how to fill your SAQ. Completing a SAQ is pretty simple process, if you already use a processor, you'd be answering most questions N/A anyway. If you have done SAQ and found that you are lacking in several areas, that will still be viewed favorably than never having done any self-audit at all. You don't want the bank the be the one auditing you after an "event". – Lie Ryan Feb 17 '19 at 02:00
  • 1
    @thinksinbinary: ultimately the PCI compliance isn't about protecting merchant. It's about protecting the bank customer's credit card from misuse. For better or worse, the credit card system has been designed to favour customers rather than merchants, but merchants are responsible for implementing parts of the security measures. While merchants aren't directly negatively affected by card data leaks, so the way banks force merchants to take their responsibility seriously is with chargebacks, fines, and blacklist. – Lie Ryan Feb 17 '19 at 03:34
  • @thinksinbinary updated the end of the answer to address your comment. – gowenfawr Feb 17 '19 at 03:44
  • i thought about this a lot today, one thing i could do is plug my computer into the router of the POS processor and run wireshark to see if the packets are encrypted. Just kidding. I don't even own an organic food store, you all aren't paranoid and secure enough about who you give information to. – thinksinbinary Feb 17 '19 at 06:11
  • @Lie Ryan: Thanks for that info about the SAQ, that might enable me to help my friend avoid fees and stress. – thinksinbinary Feb 17 '19 at 06:13
0

Cyber criminals use spam to send fake (phishing) emails. If your business gets caught by one, the attacker has a way into your network, where they will scan for your POS system. Many small businesses have been hacked because their POS service provider was hacked, and all the clients on their list were penetrated. No business is too small, because many criminals are in a different country, and don’t know anything about you or your size. You are just another gold nugget to be mined in the eyes of these criminals.

Why comply with PCI-DSS? Because your business will be held liable for all losses associated with any breach you’re involved in. If you have a customer with a million dollar credit limit on their card, and the thieves who stole it from you use it to buy a Ferrari, you’re liable for the whole amount.

It sounds like you’re a Tier 1 merchant, so take the self-assessment route, if you can. It won’t get you completely off the hook if your POS system is breached, but at least you’ll have someone else to shoulder the burden.

Also, take the opportunity to learn about and convert to EMV chip cards, if you haven’t already. Mag stripes are worthless for security. Chip cards will protect you from a whole host of risks.

John Deters
  • 34,205
  • 3
  • 61
  • 113
  • assuming that the business owner was "dumb" enough to fall victim to a phishing scam, it wouldn't matter because the POS is a seperate network. – thinksinbinary Feb 17 '19 at 06:24
  • @thinksinbinary , that is an extremely short sighted approach. The Target hack started when a bookkeeper at an HVAC vendor (not even a Target employee!) fell for a phishing email. The hackers tunneled in through firewalls, virtual machines, isolated networks, and bypassed other security measures. Don’t imagine for a minute that your network is secure against these kinds of attackers, because it is not. – John Deters Feb 17 '19 at 21:56
  • "that is a short sighted approach", John Deters, thanks for using your info-sec knowledge to help me. However, most people don't wear bullet proof vests despite the real possibility of getting shot in public in 2019. Target is a serious target for hacking because of their size and indescretion. I've read the SAQ and some of the requirements aren't necessary for this small organic food business, but PCI compliance is currently threatening the financial security of the low-profit store. In the end they should hire the fancy expert but my job is to find out if they need it, and how much to pay. – thinksinbinary Feb 19 '19 at 13:09
  • I’m sorry, that was unnecessarily rude of me. I should have said I’ve seen faith in technical solutions approaching hubris, and seen them fail often enough to know that no single technical solution is adequate once the bad guys are inside the network. I don’t think anyone should rest on “I segmented the network so my job is done.” Those bad guys didn’t choose Target, they were simply drilling into the compromised HVAC vendor and found a link to Target they exploited. Access to the HVAC system was sold by the original phishing spammer for $70; he didn’t know it was the entrance to a gold mine. – John Deters Feb 19 '19 at 19:30
  • nah you werent so rude, its just that the store i was helping doesn't need PCI compliance tests because they have a very simple system and don't make much money: the POS is a seperate system, and i ran wireshark while connected to the server and the packets are unreadable without encryption cracking. Plus, the employees can't install new software on the two POS tablets. – thinksinbinary Feb 20 '19 at 21:51
  • stack exchange doesn't ever allow me to edit the comments: there is no server, i ran wireshark on the ROUTER while i was connected to it. – thinksinbinary Feb 20 '19 at 22:26