Do you need to hire a professional in order to be pci compliant?












2















i run an organic food store, and after a conference call with my credit card service (card connect), do i really have to hire a PCI certified professional once a year in order to be pci compliant? If this is the case, how much does it cost?



Or am I just misreading things, i don't think any "cyber criminal" is going to target my business. NCR Silver handles all my credit card transactions.










share|improve this question























  • ncrsilver.com/what-is-pci-compliance

    – they
    Feb 16 at 2:59






  • 1





    "i don't think any "cyber criminal" is going to target my business." Wow.

    – Joseph Sible
    Feb 16 at 3:46






  • 5





    To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.

    – Ed Grimm
    Feb 16 at 4:01













  • @they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.

    – thinksinbinary
    Feb 16 at 4:06






  • 2





    There are different levels of compliance depending on your volume. I'm not very up to date with PCI DSS but from memory levels 3 and 4 you can self-certify

    – paj28
    Feb 16 at 8:07
















2















i run an organic food store, and after a conference call with my credit card service (card connect), do i really have to hire a PCI certified professional once a year in order to be pci compliant? If this is the case, how much does it cost?



Or am I just misreading things, i don't think any "cyber criminal" is going to target my business. NCR Silver handles all my credit card transactions.










share|improve this question























  • ncrsilver.com/what-is-pci-compliance

    – they
    Feb 16 at 2:59






  • 1





    "i don't think any "cyber criminal" is going to target my business." Wow.

    – Joseph Sible
    Feb 16 at 3:46






  • 5





    To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.

    – Ed Grimm
    Feb 16 at 4:01













  • @they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.

    – thinksinbinary
    Feb 16 at 4:06






  • 2





    There are different levels of compliance depending on your volume. I'm not very up to date with PCI DSS but from memory levels 3 and 4 you can self-certify

    – paj28
    Feb 16 at 8:07














2












2








2








i run an organic food store, and after a conference call with my credit card service (card connect), do i really have to hire a PCI certified professional once a year in order to be pci compliant? If this is the case, how much does it cost?



Or am I just misreading things, i don't think any "cyber criminal" is going to target my business. NCR Silver handles all my credit card transactions.










share|improve this question














i run an organic food store, and after a conference call with my credit card service (card connect), do i really have to hire a PCI certified professional once a year in order to be pci compliant? If this is the case, how much does it cost?



Or am I just misreading things, i don't think any "cyber criminal" is going to target my business. NCR Silver handles all my credit card transactions.







scam financial






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Feb 16 at 2:08









thinksinbinarythinksinbinary

1205




1205













  • ncrsilver.com/what-is-pci-compliance

    – they
    Feb 16 at 2:59






  • 1





    "i don't think any "cyber criminal" is going to target my business." Wow.

    – Joseph Sible
    Feb 16 at 3:46






  • 5





    To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.

    – Ed Grimm
    Feb 16 at 4:01













  • @they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.

    – thinksinbinary
    Feb 16 at 4:06






  • 2





    There are different levels of compliance depending on your volume. I'm not very up to date with PCI DSS but from memory levels 3 and 4 you can self-certify

    – paj28
    Feb 16 at 8:07



















  • ncrsilver.com/what-is-pci-compliance

    – they
    Feb 16 at 2:59






  • 1





    "i don't think any "cyber criminal" is going to target my business." Wow.

    – Joseph Sible
    Feb 16 at 3:46






  • 5





    To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.

    – Ed Grimm
    Feb 16 at 4:01













  • @they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.

    – thinksinbinary
    Feb 16 at 4:06






  • 2





    There are different levels of compliance depending on your volume. I'm not very up to date with PCI DSS but from memory levels 3 and 4 you can self-certify

    – paj28
    Feb 16 at 8:07

















ncrsilver.com/what-is-pci-compliance

– they
Feb 16 at 2:59





ncrsilver.com/what-is-pci-compliance

– they
Feb 16 at 2:59




1




1





"i don't think any "cyber criminal" is going to target my business." Wow.

– Joseph Sible
Feb 16 at 3:46





"i don't think any "cyber criminal" is going to target my business." Wow.

– Joseph Sible
Feb 16 at 3:46




5




5





To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.

– Ed Grimm
Feb 16 at 4:01







To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.

– Ed Grimm
Feb 16 at 4:01















@they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.

– thinksinbinary
Feb 16 at 4:06





@they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.

– thinksinbinary
Feb 16 at 4:06




2




2





There are different levels of compliance depending on your volume. I'm not very up to date with PCI DSS but from memory levels 3 and 4 you can self-certify

– paj28
Feb 16 at 8:07





There are different levels of compliance depending on your volume. I'm not very up to date with PCI DSS but from memory levels 3 and 4 you can self-certify

– paj28
Feb 16 at 8:07










4 Answers
4






active

oldest

votes


















12














If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring an external/independent PCI qualified security assessor.



However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is primarily based on the volume of your expected transactions, mechanism you integrate with your payment processor, and how you handle card data.



Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.






share|improve this answer

































    1














    Do you need to be cautious about security?
    If you are using POS(Point of Sale system) a simple reason could be;
    This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time.
    Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.



    How much does it cost?
    Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.






    share|improve this answer































      1















      i run an organic food store, and after a conference call with my
      credit card service (card connect), do i really have to hire a PCI
      certified professional once a year in order to be pci compliant?




      You probably do not need to hire a PCI certified professional, because unless you're a particularly large organic food store, you are likely small enough that the Self-Assessment Questionnaire will suffice. (The caveat being that your processor may compel you to have an audit instead of an SAQ, but that would usually only be the case for a small merchant who had a history of compliance problems).



      If you've never gone through the process, then hiring an auditor at least once is a good idea. They can help you understand the issues so that handling the SAQ will be easier for you in future years. They can point out security issues that the SAQ might not make apparent to you.




      If this is the case, how much does it cost?




      That varies widely by the size and location of your business, and by the individual auditor you might engage, so it's impossible for us to say. The standard advice of "get multiple quotes" applies.




      Or am I just misreading things, i don't think any "cyber criminal" is going to target my business.




      If you handle cards, you are a target of opportunity. They may not know or care who you are, but they'll hit you nonetheless. It's not about your level of profit, it's about the fact that customers hand you cards, and each card represents thousands of potential dollars, and a useful smaller amount of real dollars to the attacker who sells it down the line. PCI DSS is not about employees, it's about infrastructure and practices to protect the cards that have to flit across your business on their way to the processor.



      Sure, NCR does a lot to protect the cards - but a necessary step, imposed by the card brands, is to make sure that Merchants do their part also.






      share|improve this answer


























      • well this is the thing, my organic food store barely makes a profit, i pay all my employees in the area a decent wage. The thing that bothers me about this is that none of the pci compliance sites are explicit about what they are protecting you against. The issue with internet security overall is that some [robot] has to get the credit card information along the way, we can start scanning employees pockets when we process their credit card payments. I would think that NCR imposes really good security measures on their credit card processes. And no, its obvious that we don't store the info

        – thinksinbinary
        Feb 17 at 1:31








      • 1





        @thinksinbinary: NCR may have good security measures, but processors are not the ultimate target of responsibility of the audit, merchants are. You should contact NCR and ask them for advice on how to fill your SAQ. Completing a SAQ is pretty simple process, if you already use a processor, you'd be answering most questions N/A anyway. If you have done SAQ and found that you are lacking in several areas, that will still be viewed favorably than never having done any self-audit at all. You don't want the bank the be the one auditing you after an "event".

        – Lie Ryan
        Feb 17 at 2:00








      • 1





        @thinksinbinary: ultimately the PCI compliance isn't about protecting merchant. It's about protecting the bank customer's credit card from misuse. For better or worse, the credit card system has been designed to favour customers rather than merchants, but merchants are responsible for implementing parts of the security measures. While merchants aren't directly negatively affected by card data leaks, so the way banks force merchants to take their responsibility seriously is with chargebacks, fines, and blacklist.

        – Lie Ryan
        Feb 17 at 3:34











      • @thinksinbinary updated the end of the answer to address your comment.

        – gowenfawr
        Feb 17 at 3:44











      • i thought about this a lot today, one thing i could do is plug my computer into the router of the POS processor and run wireshark to see if the packets are encrypted. Just kidding. I don't even own an organic food store, you all aren't paranoid and secure enough about who you give information to.

        – thinksinbinary
        Feb 17 at 6:11



















      0














      Cyber criminals use spam to send fake (phishing) emails. If your business gets caught by one, the attacker has a way into your network, where they will scan for your POS system. Many small businesses have been hacked because their POS service provider was hacked, and all the clients on their list were penetrated. No business is too small, because many criminals are in a different country, and don’t know anything about you or your size. You are just another gold nugget to be mined in the eyes of these criminals.



      Why comply with PCI-DSS? Because your business will be held liable for all losses associated with any breach you’re involved in. If you have a customer with a million dollar credit limit on their card, and the thieves who stole it from you use it to buy a Ferrari, you’re liable for the whole amount.



      It sounds like you’re a Tier 1 merchant, so take the self-assessment route, if you can. It won’t get you completely off the hook if your POS system is breached, but at least you’ll have someone else to shoulder the burden.



      Also, take the opportunity to learn about and convert to EMV chip cards, if you haven’t already. Mag stripes are worthless for security. Chip cards will protect you from a whole host of risks.






      share|improve this answer
























      • assuming that the business owner was "dumb" enough to fall victim to a phishing scam, it wouldn't matter because the POS is a seperate network.

        – thinksinbinary
        Feb 17 at 6:24











      • @thinksinbinary , that is an extremely short sighted approach. The Target hack started when a bookkeeper at an HVAC vendor (not even a Target employee!) fell for a phishing email. The hackers tunneled in through firewalls, virtual machines, isolated networks, and bypassed other security measures. Don’t imagine for a minute that your network is secure against these kinds of attackers, because it is not.

        – John Deters
        Feb 17 at 21:56











      • "that is a short sighted approach", John Deters, thanks for using your info-sec knowledge to help me. However, most people don't wear bullet proof vests despite the real possibility of getting shot in public in 2019. Target is a serious target for hacking because of their size and indescretion. I've read the SAQ and some of the requirements aren't necessary for this small organic food business, but PCI compliance is currently threatening the financial security of the low-profit store. In the end they should hire the fancy expert but my job is to find out if they need it, and how much to pay.

        – thinksinbinary
        Feb 19 at 13:09











      • I’m sorry, that was unnecessarily rude of me. I should have said I’ve seen faith in technical solutions approaching hubris, and seen them fail often enough to know that no single technical solution is adequate once the bad guys are inside the network. I don’t think anyone should rest on “I segmented the network so my job is done.” Those bad guys didn’t choose Target, they were simply drilling into the compromised HVAC vendor and found a link to Target they exploited. Access to the HVAC system was sold by the original phishing spammer for $70; he didn’t know it was the entrance to a gold mine.

        – John Deters
        Feb 19 at 19:30











      • nah you werent so rude, its just that the store i was helping doesn't need PCI compliance tests because they have a very simple system and don't make much money: the POS is a seperate system, and i ran wireshark while connected to the server and the packets are unreadable without encryption cracking. Plus, the employees can't install new software on the two POS tablets.

        – thinksinbinary
        Feb 20 at 21:51











      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "162"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203670%2fdo-you-need-to-hire-a-professional-in-order-to-be-pci-compliant%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      4 Answers
      4






      active

      oldest

      votes








      4 Answers
      4






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      12














      If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring an external/independent PCI qualified security assessor.



      However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is primarily based on the volume of your expected transactions, mechanism you integrate with your payment processor, and how you handle card data.



      Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.






      share|improve this answer






























        12














        If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring an external/independent PCI qualified security assessor.



        However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is primarily based on the volume of your expected transactions, mechanism you integrate with your payment processor, and how you handle card data.



        Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.






        share|improve this answer




























          12












          12








          12







          If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring an external/independent PCI qualified security assessor.



          However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is primarily based on the volume of your expected transactions, mechanism you integrate with your payment processor, and how you handle card data.



          Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.






          share|improve this answer















          If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring an external/independent PCI qualified security assessor.



          However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is primarily based on the volume of your expected transactions, mechanism you integrate with your payment processor, and how you handle card data.



          Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Feb 18 at 2:11

























          answered Feb 16 at 3:36









          Lie RyanLie Ryan

          23.5k35077




          23.5k35077

























              1














              Do you need to be cautious about security?
              If you are using POS(Point of Sale system) a simple reason could be;
              This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time.
              Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.



              How much does it cost?
              Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.






              share|improve this answer




























                1














                Do you need to be cautious about security?
                If you are using POS(Point of Sale system) a simple reason could be;
                This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time.
                Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.



                How much does it cost?
                Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.






                share|improve this answer


























                  1












                  1








                  1







                  Do you need to be cautious about security?
                  If you are using POS(Point of Sale system) a simple reason could be;
                  This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time.
                  Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.



                  How much does it cost?
                  Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.






                  share|improve this answer













                  Do you need to be cautious about security?
                  If you are using POS(Point of Sale system) a simple reason could be;
                  This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time.
                  Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.



                  How much does it cost?
                  Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Feb 16 at 6:17









                  VcodeVcode

                  581128




                  581128























                      1















                      i run an organic food store, and after a conference call with my
                      credit card service (card connect), do i really have to hire a PCI
                      certified professional once a year in order to be pci compliant?




                      You probably do not need to hire a PCI certified professional, because unless you're a particularly large organic food store, you are likely small enough that the Self-Assessment Questionnaire will suffice. (The caveat being that your processor may compel you to have an audit instead of an SAQ, but that would usually only be the case for a small merchant who had a history of compliance problems).



                      If you've never gone through the process, then hiring an auditor at least once is a good idea. They can help you understand the issues so that handling the SAQ will be easier for you in future years. They can point out security issues that the SAQ might not make apparent to you.




                      If this is the case, how much does it cost?




                      That varies widely by the size and location of your business, and by the individual auditor you might engage, so it's impossible for us to say. The standard advice of "get multiple quotes" applies.




                      Or am I just misreading things, i don't think any "cyber criminal" is going to target my business.




                      If you handle cards, you are a target of opportunity. They may not know or care who you are, but they'll hit you nonetheless. It's not about your level of profit, it's about the fact that customers hand you cards, and each card represents thousands of potential dollars, and a useful smaller amount of real dollars to the attacker who sells it down the line. PCI DSS is not about employees, it's about infrastructure and practices to protect the cards that have to flit across your business on their way to the processor.



                      Sure, NCR does a lot to protect the cards - but a necessary step, imposed by the card brands, is to make sure that Merchants do their part also.






                      share|improve this answer


























                      • well this is the thing, my organic food store barely makes a profit, i pay all my employees in the area a decent wage. The thing that bothers me about this is that none of the pci compliance sites are explicit about what they are protecting you against. The issue with internet security overall is that some [robot] has to get the credit card information along the way, we can start scanning employees pockets when we process their credit card payments. I would think that NCR imposes really good security measures on their credit card processes. And no, its obvious that we don't store the info

                        – thinksinbinary
                        Feb 17 at 1:31








                      • 1





                        @thinksinbinary: NCR may have good security measures, but processors are not the ultimate target of responsibility of the audit, merchants are. You should contact NCR and ask them for advice on how to fill your SAQ. Completing a SAQ is pretty simple process, if you already use a processor, you'd be answering most questions N/A anyway. If you have done SAQ and found that you are lacking in several areas, that will still be viewed favorably than never having done any self-audit at all. You don't want the bank the be the one auditing you after an "event".

                        – Lie Ryan
                        Feb 17 at 2:00








                      • 1





                        @thinksinbinary: ultimately the PCI compliance isn't about protecting merchant. It's about protecting the bank customer's credit card from misuse. For better or worse, the credit card system has been designed to favour customers rather than merchants, but merchants are responsible for implementing parts of the security measures. While merchants aren't directly negatively affected by card data leaks, so the way banks force merchants to take their responsibility seriously is with chargebacks, fines, and blacklist.

                        – Lie Ryan
                        Feb 17 at 3:34











                      • @thinksinbinary updated the end of the answer to address your comment.

                        – gowenfawr
                        Feb 17 at 3:44











                      • i thought about this a lot today, one thing i could do is plug my computer into the router of the POS processor and run wireshark to see if the packets are encrypted. Just kidding. I don't even own an organic food store, you all aren't paranoid and secure enough about who you give information to.

                        – thinksinbinary
                        Feb 17 at 6:11
















                      1















                      i run an organic food store, and after a conference call with my
                      credit card service (card connect), do i really have to hire a PCI
                      certified professional once a year in order to be pci compliant?




                      You probably do not need to hire a PCI certified professional, because unless you're a particularly large organic food store, you are likely small enough that the Self-Assessment Questionnaire will suffice. (The caveat being that your processor may compel you to have an audit instead of an SAQ, but that would usually only be the case for a small merchant who had a history of compliance problems).



                      If you've never gone through the process, then hiring an auditor at least once is a good idea. They can help you understand the issues so that handling the SAQ will be easier for you in future years. They can point out security issues that the SAQ might not make apparent to you.




                      If this is the case, how much does it cost?




                      That varies widely by the size and location of your business, and by the individual auditor you might engage, so it's impossible for us to say. The standard advice of "get multiple quotes" applies.




                      Or am I just misreading things, i don't think any "cyber criminal" is going to target my business.




                      If you handle cards, you are a target of opportunity. They may not know or care who you are, but they'll hit you nonetheless. It's not about your level of profit, it's about the fact that customers hand you cards, and each card represents thousands of potential dollars, and a useful smaller amount of real dollars to the attacker who sells it down the line. PCI DSS is not about employees, it's about infrastructure and practices to protect the cards that have to flit across your business on their way to the processor.



                      Sure, NCR does a lot to protect the cards - but a necessary step, imposed by the card brands, is to make sure that Merchants do their part also.






                      share|improve this answer


























                      • well this is the thing, my organic food store barely makes a profit, i pay all my employees in the area a decent wage. The thing that bothers me about this is that none of the pci compliance sites are explicit about what they are protecting you against. The issue with internet security overall is that some [robot] has to get the credit card information along the way, we can start scanning employees pockets when we process their credit card payments. I would think that NCR imposes really good security measures on their credit card processes. And no, its obvious that we don't store the info

                        – thinksinbinary
                        Feb 17 at 1:31








                      • 1





                        @thinksinbinary: NCR may have good security measures, but processors are not the ultimate target of responsibility of the audit, merchants are. You should contact NCR and ask them for advice on how to fill your SAQ. Completing a SAQ is pretty simple process, if you already use a processor, you'd be answering most questions N/A anyway. If you have done SAQ and found that you are lacking in several areas, that will still be viewed favorably than never having done any self-audit at all. You don't want the bank the be the one auditing you after an "event".

                        – Lie Ryan
                        Feb 17 at 2:00








                      • 1





                        @thinksinbinary: ultimately the PCI compliance isn't about protecting merchant. It's about protecting the bank customer's credit card from misuse. For better or worse, the credit card system has been designed to favour customers rather than merchants, but merchants are responsible for implementing parts of the security measures. While merchants aren't directly negatively affected by card data leaks, so the way banks force merchants to take their responsibility seriously is with chargebacks, fines, and blacklist.

                        – Lie Ryan
                        Feb 17 at 3:34











                      • @thinksinbinary updated the end of the answer to address your comment.

                        – gowenfawr
                        Feb 17 at 3:44











                      • i thought about this a lot today, one thing i could do is plug my computer into the router of the POS processor and run wireshark to see if the packets are encrypted. Just kidding. I don't even own an organic food store, you all aren't paranoid and secure enough about who you give information to.

                        – thinksinbinary
                        Feb 17 at 6:11














                      1












                      1








                      1








                      i run an organic food store, and after a conference call with my
                      credit card service (card connect), do i really have to hire a PCI
                      certified professional once a year in order to be pci compliant?




                      You probably do not need to hire a PCI certified professional, because unless you're a particularly large organic food store, you are likely small enough that the Self-Assessment Questionnaire will suffice. (The caveat being that your processor may compel you to have an audit instead of an SAQ, but that would usually only be the case for a small merchant who had a history of compliance problems).



                      If you've never gone through the process, then hiring an auditor at least once is a good idea. They can help you understand the issues so that handling the SAQ will be easier for you in future years. They can point out security issues that the SAQ might not make apparent to you.




                      If this is the case, how much does it cost?




                      That varies widely by the size and location of your business, and by the individual auditor you might engage, so it's impossible for us to say. The standard advice of "get multiple quotes" applies.




                      Or am I just misreading things, i don't think any "cyber criminal" is going to target my business.




                      If you handle cards, you are a target of opportunity. They may not know or care who you are, but they'll hit you nonetheless. It's not about your level of profit, it's about the fact that customers hand you cards, and each card represents thousands of potential dollars, and a useful smaller amount of real dollars to the attacker who sells it down the line. PCI DSS is not about employees, it's about infrastructure and practices to protect the cards that have to flit across your business on their way to the processor.



                      Sure, NCR does a lot to protect the cards - but a necessary step, imposed by the card brands, is to make sure that Merchants do their part also.






                      share|improve this answer
















                      i run an organic food store, and after a conference call with my
                      credit card service (card connect), do i really have to hire a PCI
                      certified professional once a year in order to be pci compliant?




                      You probably do not need to hire a PCI certified professional, because unless you're a particularly large organic food store, you are likely small enough that the Self-Assessment Questionnaire will suffice. (The caveat being that your processor may compel you to have an audit instead of an SAQ, but that would usually only be the case for a small merchant who had a history of compliance problems).



                      If you've never gone through the process, then hiring an auditor at least once is a good idea. They can help you understand the issues so that handling the SAQ will be easier for you in future years. They can point out security issues that the SAQ might not make apparent to you.




                      If this is the case, how much does it cost?




                      That varies widely by the size and location of your business, and by the individual auditor you might engage, so it's impossible for us to say. The standard advice of "get multiple quotes" applies.




                      Or am I just misreading things, i don't think any "cyber criminal" is going to target my business.




                      If you handle cards, you are a target of opportunity. They may not know or care who you are, but they'll hit you nonetheless. It's not about your level of profit, it's about the fact that customers hand you cards, and each card represents thousands of potential dollars, and a useful smaller amount of real dollars to the attacker who sells it down the line. PCI DSS is not about employees, it's about infrastructure and practices to protect the cards that have to flit across your business on their way to the processor.



                      Sure, NCR does a lot to protect the cards - but a necessary step, imposed by the card brands, is to make sure that Merchants do their part also.







                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited Feb 17 at 3:44

























                      answered Feb 16 at 15:08









                      gowenfawrgowenfawr

                      53.7k11114159




                      53.7k11114159













                      • well this is the thing, my organic food store barely makes a profit, i pay all my employees in the area a decent wage. The thing that bothers me about this is that none of the pci compliance sites are explicit about what they are protecting you against. The issue with internet security overall is that some [robot] has to get the credit card information along the way, we can start scanning employees pockets when we process their credit card payments. I would think that NCR imposes really good security measures on their credit card processes. And no, its obvious that we don't store the info

                        – thinksinbinary
                        Feb 17 at 1:31








                      • 1





                        @thinksinbinary: NCR may have good security measures, but processors are not the ultimate target of responsibility of the audit, merchants are. You should contact NCR and ask them for advice on how to fill your SAQ. Completing a SAQ is pretty simple process, if you already use a processor, you'd be answering most questions N/A anyway. If you have done SAQ and found that you are lacking in several areas, that will still be viewed favorably than never having done any self-audit at all. You don't want the bank the be the one auditing you after an "event".

                        – Lie Ryan
                        Feb 17 at 2:00








                      • 1





                        @thinksinbinary: ultimately the PCI compliance isn't about protecting merchant. It's about protecting the bank customer's credit card from misuse. For better or worse, the credit card system has been designed to favour customers rather than merchants, but merchants are responsible for implementing parts of the security measures. While merchants aren't directly negatively affected by card data leaks, so the way banks force merchants to take their responsibility seriously is with chargebacks, fines, and blacklist.

                        – Lie Ryan
                        Feb 17 at 3:34











                      • @thinksinbinary updated the end of the answer to address your comment.

                        – gowenfawr
                        Feb 17 at 3:44











                      • i thought about this a lot today, one thing i could do is plug my computer into the router of the POS processor and run wireshark to see if the packets are encrypted. Just kidding. I don't even own an organic food store, you all aren't paranoid and secure enough about who you give information to.

                        – thinksinbinary
                        Feb 17 at 6:11



















                      • well this is the thing, my organic food store barely makes a profit, i pay all my employees in the area a decent wage. The thing that bothers me about this is that none of the pci compliance sites are explicit about what they are protecting you against. The issue with internet security overall is that some [robot] has to get the credit card information along the way, we can start scanning employees pockets when we process their credit card payments. I would think that NCR imposes really good security measures on their credit card processes. And no, its obvious that we don't store the info

                        – thinksinbinary
                        Feb 17 at 1:31








                      • 1





                        @thinksinbinary: NCR may have good security measures, but processors are not the ultimate target of responsibility of the audit, merchants are. You should contact NCR and ask them for advice on how to fill your SAQ. Completing a SAQ is pretty simple process, if you already use a processor, you'd be answering most questions N/A anyway. If you have done SAQ and found that you are lacking in several areas, that will still be viewed favorably than never having done any self-audit at all. You don't want the bank the be the one auditing you after an "event".

                        – Lie Ryan
                        Feb 17 at 2:00








                      • 1





                        @thinksinbinary: ultimately the PCI compliance isn't about protecting merchant. It's about protecting the bank customer's credit card from misuse. For better or worse, the credit card system has been designed to favour customers rather than merchants, but merchants are responsible for implementing parts of the security measures. While merchants aren't directly negatively affected by card data leaks, so the way banks force merchants to take their responsibility seriously is with chargebacks, fines, and blacklist.

                        – Lie Ryan
                        Feb 17 at 3:34











                      • @thinksinbinary updated the end of the answer to address your comment.

                        – gowenfawr
                        Feb 17 at 3:44











                      • i thought about this a lot today, one thing i could do is plug my computer into the router of the POS processor and run wireshark to see if the packets are encrypted. Just kidding. I don't even own an organic food store, you all aren't paranoid and secure enough about who you give information to.

                        – thinksinbinary
                        Feb 17 at 6:11

















                      well this is the thing, my organic food store barely makes a profit, i pay all my employees in the area a decent wage. The thing that bothers me about this is that none of the pci compliance sites are explicit about what they are protecting you against. The issue with internet security overall is that some [robot] has to get the credit card information along the way, we can start scanning employees pockets when we process their credit card payments. I would think that NCR imposes really good security measures on their credit card processes. And no, its obvious that we don't store the info

                      – thinksinbinary
                      Feb 17 at 1:31







                      well this is the thing, my organic food store barely makes a profit, i pay all my employees in the area a decent wage. The thing that bothers me about this is that none of the pci compliance sites are explicit about what they are protecting you against. The issue with internet security overall is that some [robot] has to get the credit card information along the way, we can start scanning employees pockets when we process their credit card payments. I would think that NCR imposes really good security measures on their credit card processes. And no, its obvious that we don't store the info

                      – thinksinbinary
                      Feb 17 at 1:31






                      1




                      1





                      @thinksinbinary: NCR may have good security measures, but processors are not the ultimate target of responsibility of the audit, merchants are. You should contact NCR and ask them for advice on how to fill your SAQ. Completing a SAQ is pretty simple process, if you already use a processor, you'd be answering most questions N/A anyway. If you have done SAQ and found that you are lacking in several areas, that will still be viewed favorably than never having done any self-audit at all. You don't want the bank the be the one auditing you after an "event".

                      – Lie Ryan
                      Feb 17 at 2:00







                      @thinksinbinary: NCR may have good security measures, but processors are not the ultimate target of responsibility of the audit, merchants are. You should contact NCR and ask them for advice on how to fill your SAQ. Completing a SAQ is pretty simple process, if you already use a processor, you'd be answering most questions N/A anyway. If you have done SAQ and found that you are lacking in several areas, that will still be viewed favorably than never having done any self-audit at all. You don't want the bank the be the one auditing you after an "event".

                      – Lie Ryan
                      Feb 17 at 2:00






                      1




                      1





                      @thinksinbinary: ultimately the PCI compliance isn't about protecting merchant. It's about protecting the bank customer's credit card from misuse. For better or worse, the credit card system has been designed to favour customers rather than merchants, but merchants are responsible for implementing parts of the security measures. While merchants aren't directly negatively affected by card data leaks, so the way banks force merchants to take their responsibility seriously is with chargebacks, fines, and blacklist.

                      – Lie Ryan
                      Feb 17 at 3:34





                      @thinksinbinary: ultimately the PCI compliance isn't about protecting merchant. It's about protecting the bank customer's credit card from misuse. For better or worse, the credit card system has been designed to favour customers rather than merchants, but merchants are responsible for implementing parts of the security measures. While merchants aren't directly negatively affected by card data leaks, so the way banks force merchants to take their responsibility seriously is with chargebacks, fines, and blacklist.

                      – Lie Ryan
                      Feb 17 at 3:34













                      @thinksinbinary updated the end of the answer to address your comment.

                      – gowenfawr
                      Feb 17 at 3:44





                      @thinksinbinary updated the end of the answer to address your comment.

                      – gowenfawr
                      Feb 17 at 3:44













                      i thought about this a lot today, one thing i could do is plug my computer into the router of the POS processor and run wireshark to see if the packets are encrypted. Just kidding. I don't even own an organic food store, you all aren't paranoid and secure enough about who you give information to.

                      – thinksinbinary
                      Feb 17 at 6:11





                      i thought about this a lot today, one thing i could do is plug my computer into the router of the POS processor and run wireshark to see if the packets are encrypted. Just kidding. I don't even own an organic food store, you all aren't paranoid and secure enough about who you give information to.

                      – thinksinbinary
                      Feb 17 at 6:11











                      0














                      Cyber criminals use spam to send fake (phishing) emails. If your business gets caught by one, the attacker has a way into your network, where they will scan for your POS system. Many small businesses have been hacked because their POS service provider was hacked, and all the clients on their list were penetrated. No business is too small, because many criminals are in a different country, and don’t know anything about you or your size. You are just another gold nugget to be mined in the eyes of these criminals.



                      Why comply with PCI-DSS? Because your business will be held liable for all losses associated with any breach you’re involved in. If you have a customer with a million dollar credit limit on their card, and the thieves who stole it from you use it to buy a Ferrari, you’re liable for the whole amount.



                      It sounds like you’re a Tier 1 merchant, so take the self-assessment route, if you can. It won’t get you completely off the hook if your POS system is breached, but at least you’ll have someone else to shoulder the burden.



                      Also, take the opportunity to learn about and convert to EMV chip cards, if you haven’t already. Mag stripes are worthless for security. Chip cards will protect you from a whole host of risks.






                      share|improve this answer
























                      • assuming that the business owner was "dumb" enough to fall victim to a phishing scam, it wouldn't matter because the POS is a seperate network.

                        – thinksinbinary
                        Feb 17 at 6:24











                      • @thinksinbinary , that is an extremely short sighted approach. The Target hack started when a bookkeeper at an HVAC vendor (not even a Target employee!) fell for a phishing email. The hackers tunneled in through firewalls, virtual machines, isolated networks, and bypassed other security measures. Don’t imagine for a minute that your network is secure against these kinds of attackers, because it is not.

                        – John Deters
                        Feb 17 at 21:56











                      • "that is a short sighted approach", John Deters, thanks for using your info-sec knowledge to help me. However, most people don't wear bullet proof vests despite the real possibility of getting shot in public in 2019. Target is a serious target for hacking because of their size and indescretion. I've read the SAQ and some of the requirements aren't necessary for this small organic food business, but PCI compliance is currently threatening the financial security of the low-profit store. In the end they should hire the fancy expert but my job is to find out if they need it, and how much to pay.

                        – thinksinbinary
                        Feb 19 at 13:09











                      • I’m sorry, that was unnecessarily rude of me. I should have said I’ve seen faith in technical solutions approaching hubris, and seen them fail often enough to know that no single technical solution is adequate once the bad guys are inside the network. I don’t think anyone should rest on “I segmented the network so my job is done.” Those bad guys didn’t choose Target, they were simply drilling into the compromised HVAC vendor and found a link to Target they exploited. Access to the HVAC system was sold by the original phishing spammer for $70; he didn’t know it was the entrance to a gold mine.

                        – John Deters
                        Feb 19 at 19:30











                      • nah you werent so rude, its just that the store i was helping doesn't need PCI compliance tests because they have a very simple system and don't make much money: the POS is a seperate system, and i ran wireshark while connected to the server and the packets are unreadable without encryption cracking. Plus, the employees can't install new software on the two POS tablets.

                        – thinksinbinary
                        Feb 20 at 21:51
















                      0














                      Cyber criminals use spam to send fake (phishing) emails. If your business gets caught by one, the attacker has a way into your network, where they will scan for your POS system. Many small businesses have been hacked because their POS service provider was hacked, and all the clients on their list were penetrated. No business is too small, because many criminals are in a different country, and don’t know anything about you or your size. You are just another gold nugget to be mined in the eyes of these criminals.



                      Why comply with PCI-DSS? Because your business will be held liable for all losses associated with any breach you’re involved in. If you have a customer with a million dollar credit limit on their card, and the thieves who stole it from you use it to buy a Ferrari, you’re liable for the whole amount.



                      It sounds like you’re a Tier 1 merchant, so take the self-assessment route, if you can. It won’t get you completely off the hook if your POS system is breached, but at least you’ll have someone else to shoulder the burden.



                      Also, take the opportunity to learn about and convert to EMV chip cards, if you haven’t already. Mag stripes are worthless for security. Chip cards will protect you from a whole host of risks.






                      share|improve this answer
























                      • assuming that the business owner was "dumb" enough to fall victim to a phishing scam, it wouldn't matter because the POS is a seperate network.

                        – thinksinbinary
                        Feb 17 at 6:24











                      • @thinksinbinary , that is an extremely short sighted approach. The Target hack started when a bookkeeper at an HVAC vendor (not even a Target employee!) fell for a phishing email. The hackers tunneled in through firewalls, virtual machines, isolated networks, and bypassed other security measures. Don’t imagine for a minute that your network is secure against these kinds of attackers, because it is not.

                        – John Deters
                        Feb 17 at 21:56











                      • "that is a short sighted approach", John Deters, thanks for using your info-sec knowledge to help me. However, most people don't wear bullet proof vests despite the real possibility of getting shot in public in 2019. Target is a serious target for hacking because of their size and indescretion. I've read the SAQ and some of the requirements aren't necessary for this small organic food business, but PCI compliance is currently threatening the financial security of the low-profit store. In the end they should hire the fancy expert but my job is to find out if they need it, and how much to pay.

                        – thinksinbinary
                        Feb 19 at 13:09











                      • I’m sorry, that was unnecessarily rude of me. I should have said I’ve seen faith in technical solutions approaching hubris, and seen them fail often enough to know that no single technical solution is adequate once the bad guys are inside the network. I don’t think anyone should rest on “I segmented the network so my job is done.” Those bad guys didn’t choose Target, they were simply drilling into the compromised HVAC vendor and found a link to Target they exploited. Access to the HVAC system was sold by the original phishing spammer for $70; he didn’t know it was the entrance to a gold mine.

                        – John Deters
                        Feb 19 at 19:30











                      • nah you werent so rude, its just that the store i was helping doesn't need PCI compliance tests because they have a very simple system and don't make much money: the POS is a seperate system, and i ran wireshark while connected to the server and the packets are unreadable without encryption cracking. Plus, the employees can't install new software on the two POS tablets.

                        – thinksinbinary
                        Feb 20 at 21:51














                      0












                      0








                      0







                      Cyber criminals use spam to send fake (phishing) emails. If your business gets caught by one, the attacker has a way into your network, where they will scan for your POS system. Many small businesses have been hacked because their POS service provider was hacked, and all the clients on their list were penetrated. No business is too small, because many criminals are in a different country, and don’t know anything about you or your size. You are just another gold nugget to be mined in the eyes of these criminals.



                      Why comply with PCI-DSS? Because your business will be held liable for all losses associated with any breach you’re involved in. If you have a customer with a million dollar credit limit on their card, and the thieves who stole it from you use it to buy a Ferrari, you’re liable for the whole amount.



                      It sounds like you’re a Tier 1 merchant, so take the self-assessment route, if you can. It won’t get you completely off the hook if your POS system is breached, but at least you’ll have someone else to shoulder the burden.



                      Also, take the opportunity to learn about and convert to EMV chip cards, if you haven’t already. Mag stripes are worthless for security. Chip cards will protect you from a whole host of risks.






                      share|improve this answer













                      Cyber criminals use spam to send fake (phishing) emails. If your business gets caught by one, the attacker has a way into your network, where they will scan for your POS system. Many small businesses have been hacked because their POS service provider was hacked, and all the clients on their list were penetrated. No business is too small, because many criminals are in a different country, and don’t know anything about you or your size. You are just another gold nugget to be mined in the eyes of these criminals.



                      Why comply with PCI-DSS? Because your business will be held liable for all losses associated with any breach you’re involved in. If you have a customer with a million dollar credit limit on their card, and the thieves who stole it from you use it to buy a Ferrari, you’re liable for the whole amount.



                      It sounds like you’re a Tier 1 merchant, so take the self-assessment route, if you can. It won’t get you completely off the hook if your POS system is breached, but at least you’ll have someone else to shoulder the burden.



                      Also, take the opportunity to learn about and convert to EMV chip cards, if you haven’t already. Mag stripes are worthless for security. Chip cards will protect you from a whole host of risks.







                      share|improve this answer












                      share|improve this answer



                      share|improve this answer










                      answered Feb 17 at 3:19









                      John DetersJohn Deters

                      28.8k34392




                      28.8k34392













                      • assuming that the business owner was "dumb" enough to fall victim to a phishing scam, it wouldn't matter because the POS is a seperate network.

                        – thinksinbinary
                        Feb 17 at 6:24











                      • @thinksinbinary , that is an extremely short sighted approach. The Target hack started when a bookkeeper at an HVAC vendor (not even a Target employee!) fell for a phishing email. The hackers tunneled in through firewalls, virtual machines, isolated networks, and bypassed other security measures. Don’t imagine for a minute that your network is secure against these kinds of attackers, because it is not.

                        – John Deters
                        Feb 17 at 21:56











                      • "that is a short sighted approach", John Deters, thanks for using your info-sec knowledge to help me. However, most people don't wear bullet proof vests despite the real possibility of getting shot in public in 2019. Target is a serious target for hacking because of their size and indescretion. I've read the SAQ and some of the requirements aren't necessary for this small organic food business, but PCI compliance is currently threatening the financial security of the low-profit store. In the end they should hire the fancy expert but my job is to find out if they need it, and how much to pay.

                        – thinksinbinary
                        Feb 19 at 13:09











                      • I’m sorry, that was unnecessarily rude of me. I should have said I’ve seen faith in technical solutions approaching hubris, and seen them fail often enough to know that no single technical solution is adequate once the bad guys are inside the network. I don’t think anyone should rest on “I segmented the network so my job is done.” Those bad guys didn’t choose Target, they were simply drilling into the compromised HVAC vendor and found a link to Target they exploited. Access to the HVAC system was sold by the original phishing spammer for $70; he didn’t know it was the entrance to a gold mine.

                        – John Deters
                        Feb 19 at 19:30











                      • nah you werent so rude, its just that the store i was helping doesn't need PCI compliance tests because they have a very simple system and don't make much money: the POS is a seperate system, and i ran wireshark while connected to the server and the packets are unreadable without encryption cracking. Plus, the employees can't install new software on the two POS tablets.

                        – thinksinbinary
                        Feb 20 at 21:51



















                      • assuming that the business owner was "dumb" enough to fall victim to a phishing scam, it wouldn't matter because the POS is a seperate network.

                        – thinksinbinary
                        Feb 17 at 6:24











                      • @thinksinbinary , that is an extremely short sighted approach. The Target hack started when a bookkeeper at an HVAC vendor (not even a Target employee!) fell for a phishing email. The hackers tunneled in through firewalls, virtual machines, isolated networks, and bypassed other security measures. Don’t imagine for a minute that your network is secure against these kinds of attackers, because it is not.

                        – John Deters
                        Feb 17 at 21:56











                      • "that is a short sighted approach", John Deters, thanks for using your info-sec knowledge to help me. However, most people don't wear bullet proof vests despite the real possibility of getting shot in public in 2019. Target is a serious target for hacking because of their size and indescretion. I've read the SAQ and some of the requirements aren't necessary for this small organic food business, but PCI compliance is currently threatening the financial security of the low-profit store. In the end they should hire the fancy expert but my job is to find out if they need it, and how much to pay.

                        – thinksinbinary
                        Feb 19 at 13:09











                      • I’m sorry, that was unnecessarily rude of me. I should have said I’ve seen faith in technical solutions approaching hubris, and seen them fail often enough to know that no single technical solution is adequate once the bad guys are inside the network. I don’t think anyone should rest on “I segmented the network so my job is done.” Those bad guys didn’t choose Target, they were simply drilling into the compromised HVAC vendor and found a link to Target they exploited. Access to the HVAC system was sold by the original phishing spammer for $70; he didn’t know it was the entrance to a gold mine.

                        – John Deters
                        Feb 19 at 19:30











                      • nah you werent so rude, its just that the store i was helping doesn't need PCI compliance tests because they have a very simple system and don't make much money: the POS is a seperate system, and i ran wireshark while connected to the server and the packets are unreadable without encryption cracking. Plus, the employees can't install new software on the two POS tablets.

                        – thinksinbinary
                        Feb 20 at 21:51

















                      assuming that the business owner was "dumb" enough to fall victim to a phishing scam, it wouldn't matter because the POS is a seperate network.

                      – thinksinbinary
                      Feb 17 at 6:24





                      assuming that the business owner was "dumb" enough to fall victim to a phishing scam, it wouldn't matter because the POS is a seperate network.

                      – thinksinbinary
                      Feb 17 at 6:24













                      @thinksinbinary , that is an extremely short sighted approach. The Target hack started when a bookkeeper at an HVAC vendor (not even a Target employee!) fell for a phishing email. The hackers tunneled in through firewalls, virtual machines, isolated networks, and bypassed other security measures. Don’t imagine for a minute that your network is secure against these kinds of attackers, because it is not.

                      – John Deters
                      Feb 17 at 21:56





                      @thinksinbinary , that is an extremely short sighted approach. The Target hack started when a bookkeeper at an HVAC vendor (not even a Target employee!) fell for a phishing email. The hackers tunneled in through firewalls, virtual machines, isolated networks, and bypassed other security measures. Don’t imagine for a minute that your network is secure against these kinds of attackers, because it is not.

                      – John Deters
                      Feb 17 at 21:56













                      "that is a short sighted approach", John Deters, thanks for using your info-sec knowledge to help me. However, most people don't wear bullet proof vests despite the real possibility of getting shot in public in 2019. Target is a serious target for hacking because of their size and indescretion. I've read the SAQ and some of the requirements aren't necessary for this small organic food business, but PCI compliance is currently threatening the financial security of the low-profit store. In the end they should hire the fancy expert but my job is to find out if they need it, and how much to pay.

                      – thinksinbinary
                      Feb 19 at 13:09





                      "that is a short sighted approach", John Deters, thanks for using your info-sec knowledge to help me. However, most people don't wear bullet proof vests despite the real possibility of getting shot in public in 2019. Target is a serious target for hacking because of their size and indescretion. I've read the SAQ and some of the requirements aren't necessary for this small organic food business, but PCI compliance is currently threatening the financial security of the low-profit store. In the end they should hire the fancy expert but my job is to find out if they need it, and how much to pay.

                      – thinksinbinary
                      Feb 19 at 13:09













                      I’m sorry, that was unnecessarily rude of me. I should have said I’ve seen faith in technical solutions approaching hubris, and seen them fail often enough to know that no single technical solution is adequate once the bad guys are inside the network. I don’t think anyone should rest on “I segmented the network so my job is done.” Those bad guys didn’t choose Target, they were simply drilling into the compromised HVAC vendor and found a link to Target they exploited. Access to the HVAC system was sold by the original phishing spammer for $70; he didn’t know it was the entrance to a gold mine.

                      – John Deters
                      Feb 19 at 19:30





                      I’m sorry, that was unnecessarily rude of me. I should have said I’ve seen faith in technical solutions approaching hubris, and seen them fail often enough to know that no single technical solution is adequate once the bad guys are inside the network. I don’t think anyone should rest on “I segmented the network so my job is done.” Those bad guys didn’t choose Target, they were simply drilling into the compromised HVAC vendor and found a link to Target they exploited. Access to the HVAC system was sold by the original phishing spammer for $70; he didn’t know it was the entrance to a gold mine.

                      – John Deters
                      Feb 19 at 19:30













                      nah you werent so rude, its just that the store i was helping doesn't need PCI compliance tests because they have a very simple system and don't make much money: the POS is a seperate system, and i ran wireshark while connected to the server and the packets are unreadable without encryption cracking. Plus, the employees can't install new software on the two POS tablets.

                      – thinksinbinary
                      Feb 20 at 21:51





                      nah you werent so rude, its just that the store i was helping doesn't need PCI compliance tests because they have a very simple system and don't make much money: the POS is a seperate system, and i ran wireshark while connected to the server and the packets are unreadable without encryption cracking. Plus, the employees can't install new software on the two POS tablets.

                      – thinksinbinary
                      Feb 20 at 21:51


















                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203670%2fdo-you-need-to-hire-a-professional-in-order-to-be-pci-compliant%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Probability when a professor distributes a quiz and homework assignment to a class of n students.

                      Aardman Animations

                      Are they similar matrix