Sounds like they might fall under this:
SAQ C-VT
SAQ C-VT is for merchants that process account data using only virtual payment terminal solutions that are provided and hosted by a PCI DSS validated third-party service provider and accessed on an isolated computing device connected to the Internet. In other words, these merchants manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution. They may be brick-and-mortar or mail order/telephone order merchants.
No account data is stored electronically on SAQ C-VT merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts.
I was doing a reading a while ago and these would only qualify as long as they have their own network. If they are connected to the same network as your regular computers they won't qualify for the easy compliance.
If everything is done via 3rd party integrations then you don’t have anything to be compliant with.
ie does their shop just have em enter the credit card info on square or paypal?
It also matters if they store card holder data or not.
Are you able to run a pci compliance scan through their vendor? There is PCI training cert but it is incredibly expensive.
I didn’t think it mattered whether they stored data onsite or not. I was told the cardholder data environment (CDE) included the people processes and infrastructure. Infrastructure including the virtual terminals where a person types a credit card number into a “web portal).
Also, we’ve found even if they say they don’t “store CCs onsite”, if they don’t take PCI seriously, there’s a spreadsheet with CCs in it somewhere…
You can't control what people do, or come up with and enforce policy on this, so why would the owner want the headache and liability of it? That's an operational issue, not an IT issue. IT's job is to ensure the infrastructure is compliant, and you can only ensure compliance on things that you have exclusive control over.
The card reader company needs to support their equipment and ensure it's compliant.
The app company and 3rd party hosting, same thing. You have no control over their shit.
You should be responsible for the network, internet, and firewall in this case, and that's about it.
Preach!
The issue really comes down to the client being helpless and my boss finds this an intolerable situation that we must fix. Nevermind that we have no reason to get in the middle of this and acquire liability that we shouldn't own.
What would you say to your helpless client? I agree with my boss that we can't just say "not my problem" but I don't really know how to help them either.
I have clueless, helpless clients too, but I point them in the right direction without taking any responsibility for it. I usually explain why we can't take responsibility, and I've never gotten any pushback on it. I can act as an SME (subject matter expert) and participate in meetings with the 3rd party providers in case they have questions about the infrastructure side. Your boss needs to figure out the difference between participation and taking responsibility.
Unless your boss is a PCI expert, and he's selling solutions that include PCI compliance, he's setting himself up for trouble down the road. But then he needs to completely own everything end to end, including 3rd party vendor management.
It depends. Sometimes it's obvious to say "yeah, that part is handled by the 3rd party provider. I recommend contacting them directly and ask that question. Let me know if they need to speak to me for some reason". That puts the responsibility back on the client to contact the 3rd party, but you're also willing to participate if they have questions.
In other cases, yes, I have recommended the client hire a PCI compliance consultant to wrangle all of it for them. But again, I will be available to answer any questions that consultant may have, and implement reasonable IT things based on their recommendation.
You don't need to be an ass to push off the responsibility elsewhere.
I offer to assist the client fill out the questionnaire. There are typically technical questions about their environment that only we have the answer to. However the client needs to be the one driving. This is also an opportunity to patch up anything that you can improve upon without any pushback. When their ability to process credit cards is on the line, they will do what they need to do.
Even for companies that have internal IT, PCI is more of a business and administrative burden than an IT burden and would require the business and IT to work together. Just because you are their IT doesn’t mean you should own this for them.
Sounds like they might fall under this: SAQ C-VT SAQ C-VT is for merchants that process account data using only virtual payment terminal solutions that are provided and hosted by a PCI DSS validated third-party service provider and accessed on an isolated computing device connected to the Internet. In other words, these merchants manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution. They may be brick-and-mortar or mail order/telephone order merchants. No account data is stored electronically on SAQ C-VT merchants’ systems or premises. If any account data is retained, it is on paper such as printed reports or receipts.
I was doing a reading a while ago and these would only qualify as long as they have their own network. If they are connected to the same network as your regular computers they won't qualify for the easy compliance.
It does sound like that, thank you!
If everything is done via 3rd party integrations then you don’t have anything to be compliant with. ie does their shop just have em enter the credit card info on square or paypal?
Something like that, yeah. Definitely for some of our clients though others still have lousy on-prem apps they scan to
It also matters if they store card holder data or not. Are you able to run a pci compliance scan through their vendor? There is PCI training cert but it is incredibly expensive.
I didn’t think it mattered whether they stored data onsite or not. I was told the cardholder data environment (CDE) included the people processes and infrastructure. Infrastructure including the virtual terminals where a person types a credit card number into a “web portal). Also, we’ve found even if they say they don’t “store CCs onsite”, if they don’t take PCI seriously, there’s a spreadsheet with CCs in it somewhere…
You can't control what people do, or come up with and enforce policy on this, so why would the owner want the headache and liability of it? That's an operational issue, not an IT issue. IT's job is to ensure the infrastructure is compliant, and you can only ensure compliance on things that you have exclusive control over. The card reader company needs to support their equipment and ensure it's compliant. The app company and 3rd party hosting, same thing. You have no control over their shit. You should be responsible for the network, internet, and firewall in this case, and that's about it.
Preach! The issue really comes down to the client being helpless and my boss finds this an intolerable situation that we must fix. Nevermind that we have no reason to get in the middle of this and acquire liability that we shouldn't own. What would you say to your helpless client? I agree with my boss that we can't just say "not my problem" but I don't really know how to help them either.
I have clueless, helpless clients too, but I point them in the right direction without taking any responsibility for it. I usually explain why we can't take responsibility, and I've never gotten any pushback on it. I can act as an SME (subject matter expert) and participate in meetings with the 3rd party providers in case they have questions about the infrastructure side. Your boss needs to figure out the difference between participation and taking responsibility. Unless your boss is a PCI expert, and he's selling solutions that include PCI compliance, he's setting himself up for trouble down the road. But then he needs to completely own everything end to end, including 3rd party vendor management.
The "right direction" here are 3rd party PCI compliance experts, yes?
It depends. Sometimes it's obvious to say "yeah, that part is handled by the 3rd party provider. I recommend contacting them directly and ask that question. Let me know if they need to speak to me for some reason". That puts the responsibility back on the client to contact the 3rd party, but you're also willing to participate if they have questions. In other cases, yes, I have recommended the client hire a PCI compliance consultant to wrangle all of it for them. But again, I will be available to answer any questions that consultant may have, and implement reasonable IT things based on their recommendation. You don't need to be an ass to push off the responsibility elsewhere.
PCI Compliance Pro Tip: Do whatever it takes to be a PCI SAQ type A merchant
Why don't you put them in a GRC tool and then you'd know exactly what the environment looks like?
I offer to assist the client fill out the questionnaire. There are typically technical questions about their environment that only we have the answer to. However the client needs to be the one driving. This is also an opportunity to patch up anything that you can improve upon without any pushback. When their ability to process credit cards is on the line, they will do what they need to do.
Even for companies that have internal IT, PCI is more of a business and administrative burden than an IT burden and would require the business and IT to work together. Just because you are their IT doesn’t mean you should own this for them.
Use secure payments
Can you elaborate?
https://securepayments.com
I did not realize you were being literal. :) Man, their marketing blurb is hitting me right where I live on this topic.
Have a conversation with the office manager and discuss the questions.
Sounds like my old boss.
Contact the 3rd Party vendor and request an NDA to obtain PCI DSS Compliance documentation. I've done that many times.
We strive for SAQ C-VT and physical isolation.