Recently a few friends who run small businesses asked for help understanding PCI compliance requirements. They are all brick-and-mortar stores, selling merchandise or services (or both). When looking at the material they’ve been provided, I was shocked at how poorly the self-assessment questionnaires are written. There’s no way that a typical small business owner can be expected to parse the questions full of unfamiliar terms and acronyms, let alone understand how to answer correctly (and honestly).
After a dozen or so conversations with these smaller merchants, here is what I took away from the experience:
- The PCI DSS self-assessment questionnaires are not written in a way that small business owners can understand.
- The questionnaires being provided to merchants are in some cases technically incorrect (or at least out of sync between DSS versions).
- Small business owners, who aren’t security professionals, require expert guidance in order to answer the questions honestly.
- Merchants are incentivized to “guess”, which can put them at odds with answering honestly.
- In some real-world situations, PCI DSS comes into conflict with HIPAA requirements.
- It seems as if the intent of overly complicated technical questions posed to small businesses is to scare them.
To begin exploring these issues, take a look at some of the more technical questions. In one case, the owner of a local health and wellness business was expected to understand this statement from the 2018 PCI DSS questionnaire:
“Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks?”
Setting aside that this question is from an outdated version of the standard, there’s no way that she could be expected to understand what was being asked of her. Then the situation is made worse with the following reference:
“Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect.”
The note is intended to help clarify the statement, but only serves to further confuse the situation (not the least of which is because it’s from a different DSS version than the question itself). And while I have personally worked with both “SSL/early TLS” and the more modern versions (e.g. TLS 1.3), the defining line is left up to interpretation by the reader (who wouldn’t know what SSL stands for, let alone the differences between SSL 3.0 and TLS 1.0, or that RC4 was deprecated in RFC7465).
Fortunately, I understand and am conversant with transport layer security (as well as the rest of the overly complicated questions being asked). So, I was able to cut through the chaff and explain everything in a way that they could understand and answer the questions honestly. In most cases, these merchants really want to comply, but they simply need help understanding how to do so.
Unfortunately, I also came to learn that some merchants simply try to guess at the right answers. They tick the boxes that seem to be the “right” ones, regardless if they understand what’s being asked. Making things worse, they may knowingly answer in a way that isn’t accurate. Their perception is that answering “wrong” could put their ability to handle credit cards in jeopardy, a fate they can’t afford.
From this point of view, I think I’ve uncovered the true intent of the PCI DSS questionnaires directed at small businesses. On the surface it would appear that they’re asking merchants for honest answers about their data security, but I have a feeling that the goal is something else entirely. It’s as if the goal is to scare the merchants into thinking more about the sensitivity of the data that they’re handling, regardless of their actual answers.
Honestly, that isn’t necessarily a bad goal. Even though they don’t understand what’s being asked, the exercise did force them to think carefully about the process and technologies they use to handle payment card data. In most cases, my conversations with the merchants resulted in them materially improving their security. Most notably, they now have much more robust policies and procedures in place that address real-world shortfalls (e.g. more diligent vetting of which employees have access to what data).
But the improvement wasn’t due to the PCI DSS program itself. It was due to an experienced information security professional spending time with them. I had to clearly explain what was being asked, answer questions, and provide real-world suggestions for improving their data security. All of this was tailored to their level of comprehension and business reality.
Finally, in some cases, the businesses I was dealing with must also be compliant with the Healthcare Insurance Portability and Accountability Act (HIPAA). Interestingly, there are a few PCI DSS requirements that, in real-world practice, are at odds with what’s required to be HIPAA compliant. For example, it’s not uncommon for small businesses to terminate their network in their office where they store patient records. This leads to an issue where PCI DSS may require video surveillance of the same room where clients could be recorded (a HIPAA violation). Of course this could be solved with two separate rooms, but that’s not always practical (even if they understood the issue needing to be addressed).
Primarily to feed my curiosity, I then looked around for agencies that provide professional guidance in responding to the PCI DSS self-assessment. And while they do exist, they are effectively priced beyond the budget that a small merchant can easily afford. Further, some of the firms I evaluated are clearly designed to lock a merchant into a lot of additional expenses they may not need (e.g. pen testing, log monitoring, security alert feeds, etc.). And while I’m sure they exist, none of the ones I found specifically mentioned they addressed the complication with HIPAA compliance.
In short, while the PCI DSS model is a vital tool in helping to secure data on the fringes, the support resources are falling short of reality. And, unfortunately, the only solution I see is increased staffing of seasoned (expensive) security service personnel (who are already in short supply). In all practicality, this isn’t a solution that small businesses can afford.
Then again… perhaps I simply didn’t find the magic solution. I’d be happy to hear if you have found a reasonable way for small businesses to comply with the PCI DSS (and HIPAA) requirements.