PCI SECURITY COMPLIANCE

Over the years, there have been a variety of Payment Card Industry (PCI) initiatives brought forth by each of the different payment card networks that include Visa’s Cardholder Information Security Program (CISP), MasterCard’s Site Data Protection (SDP), American Express’ Data Security Operating Policies (DSOP) and Discover’s Information Security and Compliance (DISC) regulations. In December of 2004, the Card Associations came together to create a single security program to set a single standard for merchants to comply with called the Payment Card Industry Data Security Standard (PCI DSS).

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized.
 

The PCI DSS requirements are as follows:

  • Build and Maintain a Secure Network
    1. Install and maintain a firewall configuration to protect data
    2. Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect Cardholder Data
    1. Protect stored cardholder data
    2. Encrypt transmission of cardholder data and sensitive information across open public networks
  • Maintain a Vulnerability Management Program
    1. Use and regularly update anti-virus software
    2. Develop and maintain secure systems and applications
  • Implement Strong Access Control Measures
    1. Restrict access to data by business need-to-know
    2. Assign a unique ID to each person with computer access
    3. Restrict physical access to cardholder data
  • Regularly Monitor and Test Networks
    1. Track and monitor all access to network resources and cardholder data
    2. Regularly test security systems and processes
  • Maintain an Information Security Policy
    1. Maintain a policy that addresses information securitysecurity

For most Merchants, in order to certify to the PCI DSS standards, you must complete a detailed self-assessment form and receive quarterly network scans from an independent auditor.  For larger merchants with 6 million transactions annually or above, the regulations require a detailed onsite assessment. Even merchants who process less than 20,000 transactions annually are required to comply with the regulations, even though they are not currently required to be validated by the Card Associations. Certification and compliance guidelines for smaller merchants are dictated by their merchant bank.

Regardless of your size, failure to comply can lead to steep financial and operational penalties. The first time any of your data is compromised, the Visa fine is $50,000. For any subsequent breaches, the fine increases exponentially.  More importantly, Visa, MasterCard, Discover and other payment card companies can and have taken away the ability of the merchant to accept credit cards.

Since these regulations have been in existence for a substantial number of years, any organization that you choose to do business with should be able to provide you proof of their certification for PCI DSS. Less stringent certification requirements, such as the PABP, have been created, which are detailed below. For more information regarding PCI DSS, you can read Visa's PCI information.

These regulations have been around long enough that any organization you choose to do business with should be able to provide you proof of their certification for PCI DSS. Less stringent certification requirements, the PABP, have been created which are detailed below. For more information regarding PCI DSS you can read Visa's PCI information.

NDMS and all of the payment card associations endorse the PA-DSS, which includes the following security requirements:

  • Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data
  • Protect stored cardholder data
  • Provide secure authentication features
  • Log payment application activity
  • Regularly monitor and test networks
  • Develop secure payment applications
  • Protect wireless transmissions
  • Test payment applications to address vulnerabilities
  • Facilitate secure network implementation
  • Cardholder data must never be stored on a server connected to the Internet
  • Facilitate secure remote software updates
  • Facilitate secure remote access to payment application
  • Encrypt sensitive traffic over public networks
  • Encrypt all non-console administrative access
  • Maintain instructional documentation and training programs for customers, resellers and integrators

The complete PA-DSS along with a list of qualified PA-QSAs and PA-DSS validated payment applications can be found by visiting the following website: www.pcisecuritystandards.org

Summary of Laws and Regulations

There are a variety of law enforcement agencies involved with the enforcement of credit card and transaction laws. You need to check with your local, state and federal laws to find out which laws pertain to credit cards sales transactions and merchants. There is not a state in the U.S. that accepts ignorance of the law as a defense. A good collection of these laws can be found at the FTC's Credit Website. Also visit the Fair Credit Billing Act.

There are also a variety of laws that pertain to the safeguarding of customer’s sensitive information: California Database Protection Act, Gramm-Leach-Bliley Act, FTC Security Regulations applying to GLB, FTC Financial Institutions and Customer Data, U.S. Department of Treasury: Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.

Customer Data, U.S. Department of Treasury: Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.

The U.S. Secret Service has been the primary law enforcement agency for credit card crimes. They handle all levels of criminal activity involving credit card crimes.

Reporting to Law Enforcement

One of the reasons thieves do what they do is because they believe they will get away with their criminal acts. This holds true with credit card fraud and theft. If you experience criminal behavior in your business, you need to report it. If you think that someone else will report it and you don’t need to, the thief could go on forever and never face the consequences of his or her actions.

Immediately after an incident, gather all of the information you have regarding the incident. Take a moment to outline a summary of the actions and facts regarding the incident. This will help make sure that you don’t forget anything when you talk to a law enforcement officer later.

Be sure to contact an appropriate law enforcement agency to file a report.

PABP