Here's the "adverts" for 2 virtual terminal payment systems;
...but to take card payments, you need to be PCI-DSS compliant right?
Before you even start the assessment SAQ C-VT https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2-SAQ-C_VT-rev1_1.pdf says;
Your company accesses the PCI DSS-compliant virtual payment terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network segmentation to isolate the computer from other systems)
Given the PCI-DSS requirement, do you think that the adverts are misleading?
@RossTooke wrote:Before you even start the assessment SAQ C-VT https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2-SAQ-C_VT-rev1_1.pdf says;
Your company accesses the PCI DSS-compliant virtual payment terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network segmentation to isolate the computer from other systems)
Given the PCI-DSS requirement, do you think that the adverts are misleading?
Note the area I highlighted in the quoted paragraph. All small and many medium size businesses will fail to provide a single, physically and logically isolated PC for using this service. The service provide is clearly putting the burden on the customer to understand what that paragraph means, why it is important, and have the staffing ready to implement the solution. And if the individual merchant ever faces a PCI-DSS audit, they will fail.
Firewalls and subnets? They are focused on selling fabric to seamstresses!
This is one of the biggest issues I have with the self-assessment approach to compliance. Every one of those small and many medium size businesses will have attested to their compliance, and it's not until something goes wrong that anything is done about it.
If the UK wants to be "Cyber Secure" it needs to do more than ask businesses if they are compliant. Not many businesses are going to say "no, we're not"
I've been told that 67% of UK businesses aren't GDPR complaint. I'm willing to bet that figure isn't an accurate reflection of how businesses represent themselves to the public or the ICO.
It's the same with PCI-DSS. If I can self assess myself, just it not matter to the banks that I'm getting it horribly wrong?