I have now seen PCI from the merchant side. I’m on the PCI team on campus, and I help get everyone ready for our normal reporting date of June 30. Except, this year, we’re a level 2 merchant, and we’ve chosen to have a Qualified Security Assessor (QSA), come in and basically audit us. And all the data collection starts a *lot* earlier. I’ve spent the last 4 months working with our various departments and getting all the paperwork ready for our initial submission to our QSA – mostly involving nagging people to get things done and produce evidence, and learning that things people said were in place last year, weren’t really in place, and pushing folks to get them in place for our deadline.
Now, we wait for our QSA to do their side of the work, and tell us what we’re missing. It’s been an interesting process, and I highly suggest that any merchant go through with a QSA, even if they’re not required to. 1) The QSA acts as an advice authority. They’ve probably seen it all, and have suggestions on efficient ways of doing things that you wouldn’t have thought of. 2) They make sure you’ve got all your ducks in a row as it relates to PCI and that you have all of the documentation to prove it.
It has been a lot of work, and I’m looking forward to a bit more relaxing at work. I have 300+ e-mail messages in my inbox right now because I’ve been working on this pretty much to the exclusion of everything else I also have to do. This next week is going to be clearing out the junk – both e-mail and mental fog that’s been surrounding me the last month or so of this final push. You should see more regular posts from me now that this is over and I have time to actually think instead of just do.