FAQ Friday: PCI DSS Compliance and SMBs

By Steve Sims, CISSP, TierPoint Sales Engineer

Customers frequently ask many questions about compliance in the cloud. In particular, SMBs often ask us how they can be compliant with the Payment Card Industry Data Security Standard (PCI DSS) even if they are not required to be. Every day, we share compliance advice and educate customers about selecting the right type of infrastructure solution (e.g. private or public cloud) for compliance and at what cost.

Recently, we teamed up with Fortinet, one of our technology partners, to host a forum in Seattle and Spokane addressing several security issues: Here are some highlights from our discussion:

Threats Still on the Rise
New capabilities that let hackers automate attacks allow more mass targeting of SMBs. While large enterprises may offer big payloads and publicity, SMBs generally do not protect themselves adequately. Essentially, hackers are more often going for volume against easy prey.  I have seen studies saying that SMBs represent close to two-thirds of targeted attacks.

Large enterprises are not out of the woods, however. This past week was the one-year anniversary of the Heartbleed virus. According to one report, 75 percent of big companies are still vulnerable to it.

About PCI DSS
PCI DSS is a framework for developing account data security processes. It is important because of the role that credit cards play in e-commerce. Although achieving PCI DSS compliance is good corporate governance and evidence that your organization adheres to high data protection standards, it is not a panacea.  The next PCI DSS version (3.1) is expected to be released this month and shows how it is getting stronger relative to items such as encryption.

PCI DSS 3.0 Requirements
If you are thinking about becoming PCI DSS compliant, there are some basic requirements that you have to plan for and implement. These are good points to consider with your team and technology consults because you have to account for all of them.

PCI DSS 3.0 Requirements

Cloud and Compliance
Infrastructure requirements for compliance can be confusing. The truth is, you can achieve PCI DSS compliance with your own infrastructure or any kind of cloud. The technology elements of compliance are some of the easiest components to manage. The Three Ps are the hard part: policies, people and processes. Each organization has to evaluate the kind of security posture they want, then assign a value and budget to it. The cloud allows you to have a network that is secure as you need it – for intrusions or unintentional threats that can take your network down such as natural disasters.

From speaking with event attendees, it is clear they are looking to PCI DSS to help create a baseline for their security environment. It gives them confidence that they are applying best practices to their environment. We believe PCI DSS compliance can be beneficial for many types of organizations, especially if they sell products and services online.

The caution though is that any compliance represents a moment in time. We like to say that compliance is not a set it and forget it proposition. Human resources are one of the big considerations before making the decision to maintain PCI DSS. You have to be able to actively monitor your environment and make updates to your firewalls and antivirus definitions etc. This is one reason why more companies are considering managed security services. It takes the burden off of them so they can concentrate on growing their business.

It was a great pleasure to join with Fortinet to talk about achieving compliance with organizations here in the state of Washington. Based on feedback, we will look to share this information with more people. Do you have any questions about achieving PCI DSS or compliance in general? Leave a comment or connect with me.