PCI Compliance quandry

[Rafifi]

We are a small company who process payments
a)over the phone thru a phone linked device
b)Thru a third party payment service - people paying for products online are re-directed to the payment service who are fully PCI compliant.
We do not store cardholder information on any electronic media of any description or transmit it in any form.
My understanding is that I need to fill out Self Assessment questionairre A V1.2
Our credit card company now uses a US based company to deal with all PCI compliance issues. They have told us that because we can process refunds thru the website that they need to do a full system scan. This is despite the fact we can't see the cardholder info when we do the refund and access to the website is password controlled and we never save passwords. As of yet the company has not been able to tell me the answer to this.
The question is how do we know we are not being screwed?
Thanks for taking the time to read?

[egrenier]

Rafifi,

My suggestion to you is 2 folds:

1- Educate yourself, send someone at a recognised PCI training, the official QSA training without the exam would be the best one. There your representative will gain enough knowledge of the standard to provide you with a certain level of assurance that you are doing the right thing.

2- Hire your own experience QSA as an advisor. Even if you are imposed a QSA for your validation process, nothing stop your of getting support from your trusted QSA. This advisor will be able to document the appropriate information to support his case and will bring a wealth of experience in dealing with the other QSA.

[jbhall56]

Quote:

Originally Posted by Rafifi

We are a small company who process payments
a)over the phone thru a phone linked device

I'm assuming you are describing an Interactive Voice Response (IVR) unit. Is this unit outsourced as well or at your location? Given youa re being asked to do an SAQ A, I'm also assuming that it is not managed by you.

Quote:

Originally Posted by Rafifi

b)Thru a third party payment service - people paying for products online are re-directed to the payment service who are fully PCI compliant.
We do not store cardholder information on any electronic media of any description or transmit it in any form.
My understanding is that I need to fill out Self Assessment questionairre A V1.2
Our credit card company now uses a US based company to deal with all PCI compliance issues. They have told us that because we can process refunds thru the website that they need to do a full system scan. This is despite the fact we can't see the cardholder info when we do the refund and access to the website is password controlled and we never save passwords. As of yet the company has not been able to tell me the answer to this.
The question is how do we know we are not being screwed?

They need to do a scan of what - the third party's Web site or your network? I'm assuming they want to scan your network since you are asking the question.

They are scanning your systems to make sure that they are secured. This is because that if your systems become compromised, you will compromise the systems that do contain the cardholder data. That said, I would argue that since your systems do not have access to the cardholder data, in bulk or otherwise, that your systems are out of scope and therefore do not need to be scanned.

[Rafifi]

Thanks very much for your reply
As a small company barely keeping it's head above water the chances of hiring advisers or sending people on training courses are virtually nil. So I am trying to do the best I can.
As far as the scan goes the firm are saying they need to scan our network.
We only access our third party payment provider thru the web.
We do not save the passwords and we cannot see cardholder data.
They are telling us because we process refunds thru this site that they need to scan our system to make sure access cannot be gained into the third party site. I have repeatedly asked them for a detailed explanation of how this can be done, but have never rec'd an answer.
All they keep doing is threatening us with failing PCI compliance if we don't stump up the money for the scan.
We do not seem to have any recourse to challenge this.
Can anyone offer any advice on how we can proceed.

[egrenier]

If I understand you correctly here, we are talking about ASV scans and not QSA scan looking for CHD.

As per PCI-DSS all merchant and service provider must have their external facing IP scan for vulnerabilities every quarter.

Look into the scan procedure:

https://www.pcisecuritystandards.org...dures_v1-1.pdf

There are a couple of key sentences there that you could refer to in your discussion:

"PCI Security Scans may apply to all merchants and service providers with Internet-facing IP addresses."

"may apply" suggests that it is not automatic that you must be scan.

"...seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems and potentially expose cardholder data if not properly controlled."

I would ask them to formaly document how your webservices could provide unprotected pathways to CHD.

"Merchants and service providers have the ultimate responsibility for defining the scope of their PCI Security Scan, though they may seek expertise from ASVs for help."

To me, this last statement demonstrate that they should change their attitude and that threatening you of non compliance is not professional.

You might also look into the PCI-SSC and file a proper complain.

Hope this help...

[jbhall56]

This is a prime example of PCI compliance run amok.

There are a lot of merchants hiring ASVs for no reason other than someone at their acquiring bank, who also doesn't have a clue, is mandating it without understanding why. It's just a PCI requirement as far as they are concerned and that's all that counts.

It also doesn't help that there are a lot of ASVs out there that either don't care or don't understand the PCI scanning requirements. All they care about is generating fees for all of that quarterly scanning.

I would push back on this as it is obvious that, if you have no cardholder data stored or accessible then, there is no reason to scan your systems. Just because you can do a refund, does not immediately imply that you have access to the PAN. I have seen numerous solutions that allow refunds to be generated without granting access to the full PAN.

This is like saying that every household on the Internet needs to be scanned quarterly in order to access any eCommerce site. While it might be a good idea and I'm sure a lot of ASVs would be salivating over the fees for such services, it's not very practical or realistic.

[Blooria09]

asmythe...you need to be clear on the payment gateway you are using. If the gateway takes the customer away from your site to make the credit card payment then you do not need PCI compliance as you wont be touching the cc details.

If the payment is taken or passed through your server in any way then PCI compliance is necessary.

I would advise on using a gateway that takes the burden of payment away from you...unless there is a very good reason for you to take the card details and store them.

[rx.jeff]

Here is what I don't understand how one can assume a network is not in scope without actually testing that network to make sure that IT IS NOT IN SCOPE?

In the Original Poster's case, just because his company states that they don't have any CHD stored and therefore their network is out of scope, doesn't mean that a scanning for CHD shouldn't be done. What if they do not have a strong policy that states that their employees should NEVER under any circumstance write down/copy down CHD and save a file, or on paper? What if the company does have this policy, but never enforces this with (no writing utensils, no papers allowed at the console, cannot save any files, suspensions, etc). Since they are using a 3rd party gateway, it doesn't mean that ASV shouldn't be done to make sure that it has no vulnerability to act as a gateway into the 3rd party's host.

So, as far as the OP is concerned, I don't think it will hurt to perform a ASV scan no? If your company cannot afford the $14.95 quarterly scans (https://www.clone-systems.com/ecomme...gipci01sc.html) then you should not be in business, nor should you be.

This is where PCI needs to make a strong stand where it must clearly state what needs to be done to confirm that something is out of scope before declaring it being out of scope. I think this is common sense, no?

[jbhall56]

Agreed. You cannot just accept any organization's word that they do not do something.

Under the current rules, it is up to the ASV to make the determination as to whether or not scanning is required and what needs to be scanned. However, a lot of the ASVs that I've dealt with do not do any such diligence. They just scan because they do not make any money finding out if they should scan. And merchants put up with this because they do not know any better. Then when I, as their QSA and adviser, comes in and tells them that the scanning is not correct or wasn't necessary, I get lumped in with the ASV and yelled at because we're all only there because of PCI.