Service providers have dealt with compliance-driven information security mandates for much longer than merchant’s have.  The catalyst for Visa’s CISP program was reportedly service providers, but enforcement ultimately expanded to all stakeholders.  Regardless of its origins, a certain class of service provider has significant challenges complying with these requirements without shuttering portions of their business.

Let’s say that a financial service provider is processing credit card transactions as an acqurier, as well as doing issuer processing for other third-party banks.  How can the business comply with PCI if they also must store prohibited data in order to process on behalf of their issuer customers?

Swiss Army Knife, by xjara69

Swiss Army Knife, by xjara69

That, my friends, is one of the big questions in the industry today.

Attendees from both community meetings this year ((In Vegas, the room exploded into applause when  the question was asked.)) had questions about issuers and their responsibilities for complying with PCI DSS, and in both cases, representatives from the Technical Working Group (TWG) stated that guidelines were forthcoming.  What steps should these institutions take in the mean time?

Pretty much only one… isolate these transactions!

I realize this is easy for me to say sitting high atop my consultant ivory tower, looking down my nose at all those who oppose me, and opposes what most IT strategy will have for those systems if the software running things on the back end is the same.  You may be in a situation where separating those two environments is infeasible.

Can you use a compartmentalization strategy?  That may be your next logical step.  Separate your issuer and acquirer processing data using access controls.  This way, you can focus on each environment individually.  If possible, make sure that your application is interfacing with your database via views, and not direct queries.  Using this method allows a DBA to effectively shut down certain types of access (say to that prohibited data) depending on which components of your application you are using.

If not that, then it’s going to be lots of explaining with your QSA, banks, and payment brands.  Focus on the controls in place for each area, and do everything you can to demonstrate how each function operates independently.

If none of this is possible, it’s time to have a heart to heart with your software vendor.  If they cannot come up with a solution for you, then you are faced with one of three possibilities.  Don’t comply, shut down a part of your business, or change software vendors—all of which are costly and time consuming.

This post originally appeared on

Possibly Related Posts: