If a business stores, processes, holds or transfers credit cardholder information, it must comply with the Payment Card Industry Security Standard (PCI-DSS) or risk facing fines. In 2004, the five major credit card companies (Visa, MasterCard, Amex, Discover and JCB) formed the Payment Card Industry Security Standards Council (PCI-SSC). The council created worldwide data security standards that together became known as the Payment Card Industry Security Standard (PCI-DSS). These standards were put in place with the intention of enhancing security and decreasing fraud among a growing amount of credit and debit card transactions in today’s business world. PCI looks to increase required controls around data and lessen exposure to compromise. The standard applies to all entities that process, hold, or transfer cardholder information if the card is branded with the logo of one of the five brands.
The Six Basic Requirement Categories | A. | Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
| | B. | Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement4: Encrypt transmission of cardholder data across open, public networks | | C. | Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update antivirus software.
Requirement 6: Develop and maintain secure systems and applications. | | D. | Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data. | | E. | Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes. | | F. | Maintain an information Security Policy
Requirement 12: Maintain a policy that addresses information security. |
(Source: PCI Security Standards Council, www.pcisecuritystandards.org/security_standards/pci_dss.shtml) The Four Levels of Compliance and How Compliance is Monitored PCI-DSS divides card-processing organizations into four levels by number of credit and/or debit card transactions per year. A company is defined as Level 1 if it processes over 6 million transactions per year regardless of acceptance channel, OR if Visa determines separately it should be categorized as level 1 due to increased risk of the company. These organizations must have an annual onsite review by an independent Qualified Security Assessor (QSA). They are also required to undergo quarterly scans by an approved scanning vendor which attempts to breach the company’s data security.
A company is defined as Level 2 if they process between 1 and 6 million transactions per year regardless of acceptance channel. Level 3 holds companies processing 20,000 to 1 million Visa e-commerce transactions per year. Level 4 defines all companies processing fewer than 20,000 Visa e-commerce transactions per year and all other organizations processing up to 1 million transactions per year regardless of acceptance channel. Levels 2-4 do not require an independent QSA annual assessment, but instead are responsible for a Self-Assessment Questionnaire (SAQ. The SAQ varies based on level. Also levels 2-4, similar to level 1, must take part in quarterly scans by an approved scanning vendor.
Three Important Things About PCI to Remember - Compliance IS mandatory for any and all companies (regardless of size, revenues, etc) that process credit card transactions from the mentioned credit card companies.
Any and all entities that accept credit or debit payments were required to be compliant to PCI standards by Jan. 1 2009. This is usually defined in the contracts that set up an organization with the ability to process these transactions. A new stricter enforcement of the regulation was initiated on July 1st 2010 to ensure continued compliance. - Large fines can be applied to organizations that are not PCI compliant.
The card companies have declared they will up the fines to anywhere from $5,000 to $500,000. Additionally they have the power to remove a company’s ability to accept credit and debit payments. Visa has expressed they will waive the fees of a security compromise if the company can prove they were in fact PCI compliant. Again these fines apply to all organizations processing any number of credit card transactions. - Third party processing companies are not exempt from the compliance standards.
These organizations must still assume full responsibility of compliance although in some cases risk may be slightly lessened.
The PCI Security Standards Council is increasing focus on the enforcement of these standards. They continue to emphasize the serious consequences that can affect all business entities if they do not take the necessary steps to prove they are in fact PCI compliant. Make sure to check with your IT service provider to ensure your business is fulfilling the requirements.
Russ Levanway is the CEO of TekTegrity, Inc. TekTegrity is an IT Strategies and Management firm that provides premium IT services to businesses, government, education and non-profit organization in San Luis Obispo, Santa Barbara, Monterey and Kern counties. TekTegrity’s goal is to become your organizations long-term strategic partner by supporting your IT infrastructure with your bottom line in mind. Some of TekTegrity’s services include System and Workstation Installation, Virtual Hosted Servers, Priority Backup, Off-Site Data Replication,, and Total Systems Management™ (TSM). TSM is an industry-leading managed services model that emphasizes proactive and preventative IT support at a predictable fixed monthly fee. For more information about TekTegrity, you can reach them by email at
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
, on the Web at www.tektegrity.com, or by telephone at 805-596-0135.
|
