“We’re compliant” is a phrase I’ve heard too many vendors say rather dismissively. Unfortunately, equally too many customers dismiss these responses as well with almost a sigh of relief. While the statement sounds good it shouldn’t be treated as a rubber stamp. If your church accepts credit cards for online donations, events, or any retail purchase chances are you’ve heard of PCI Compliance. If you are involved at all with these services and systems, its important that you understand what this really means.
PCI Compliance is actually a shortened version of two acronyms PCI DSS or Payment Credit Card Industry Data Security Standards. That’s quite a mouthful, so let’s just shorten it to PCI Compliance. PCI Compliance is a set of requirements designed to ensure that all companies who process, store, or transmit credit card information maintain a secure environment. Basically, it says ‘Trust Us. We’ll safeguard your parishioner’s financial data.”
This is critical for financial security and safeguarding your parishioner’s privacy, but its an often misunderstood and misused term. PCI Compliance is a set of standards that vendors are asked to follow, and yes, there’s a partial assessment process, but it seems rather incomplete to me. Let’s compare it to taking a test in school. If you’re child says they received an ‘A’ on their math test. You can take them for their word, ask to see the test, or if you really want to understand how they’re doing in math, you can call their teacher. You have multiple layers and options to validate their grade on the test. Yes, I know we all trust our children implicitly; this is, of course, just an example!
Trust but Verify
In the PCI Compliance world, with a few exceptions, you’re asked to rather blindly trust the vendor. The PCI Compliance Standards doesn’t have a governing body that validates results. There are no grades, teachers, or schools to back up the claim. Except for the highest category of PCI Compliance, Level 1, PCI Compliance is at least 50% a self-assessment. The vast majority of vendors who say they are PCI Compliant need to do one of two things to achieve compliance. All they really need to do is:
1. Complete a quarterly self-assessment questionnaire. Yes, its only a self-assessment.
2. For online vendors, submit to a quarterly system’s vulnerability scan by a 3rd party IT Security firm.
The odd thing about most PCI Compliance, is there’s no validation of the results. A company who says they PCI Compliant but has a problem with their Vulnerability Scan or doesn’t factually complete the self-assessment questionnaire can still say they’re compliant because there’s no one to verify the results. This means you need to trust the vendor at their word or follow one of my favorite sayings, “trust, but verify”. While there’s no 3rd party to validate the results, there’s no harm in asking your vendor to see a copy of their self-assessment questionnaire or their last vulnerability scan results. Now, they don’t have to provide it to you, but they should and it should definitely be a yellow-flag if the don’t.
PCI Compliance is a Question of Scope
Also, understanding what’s in scope of PCI Compliance is really important. I’ve been working in the online giving space for awhile and there the subject of PCI Compliance often comes up. I’m proud to say my firm’s online donation system, WeShare, is PCI Compliant, but I find it a little disappointing when a church asks me about PCI Compliance and then I later learn that they keep and retain parishioner credit cards on file, in an unsecured file cabinet in an unlocked room. They may be satisfied that the system is PCI Compliant, but they fail to understand that they’re not! The same holds true for other electronic donation vendors or credit card vendors. Is there whole system and processes really compliant? Or is it just the bank that processes your transactions? This can be really tricky when taking payments on line. What looks like your church’s website may be your website with an i-frame to a vendor’s site, who’s calling a web service to shopping cart or online payment site who’s then validating and processing the credit card via a merchant processor. So just who processes and stores the credit card data in that technology chain? Is everyone who touches the credit card information truly PCI Compliant?
The Proof is in the Pudding, PCI Level 1
There is one level of PCI Audits that has some real meat to it. There’s actually four levels of PCI Compliance. The first three have increases in the size and scope of the self-assessment or the frequency of the Internet Vulnerability Scans, but the highest level introduces the concept of the a 3rd party auditor or Qualified Security Assessor (QSA) in PCI lingo. There is a list of approved QSA auditors maintained by the credit card industry association that will preform and certify an audit of a company’s systems and processes. This audit ends with their 3rd party attestation (think of them as a notary) that the company is indeed PCI Compliant. This audit is conducted annually and is designed to be publicly available should any customer or prospect want to see a copy. I’m going through one of these audits now for my company’s online donation product and even though the scope of audit is exactly the same as the self-assessment questionnaire, having a 3rd party auditor review your processes, test your processes, and look for evidence that they are indeed working is a lot different that answering a True and False self-assessment questionnaire. The process itself has raised my security conscience considerably and made our systems and processes much tighter.
But Its Just My Church!
Does this really matter even for my church? Unfortunately, yes, it does. The negative consequences for failing to protect your parishioners data privacy can result in data theft, credit card fraud, and an undermining of the trust in your church. Understanding what PCI Compliance is and is not, is a great step in ensuring your parishioner’s data privacy.