What is the Payment Card Industry (PCI) Data Security Standard?
Paymetric Implementation masks a Looming Change to the Payment Card IndustryIn 2007, I was implementing the Paymetric XiPay module for a client. We were integrating Paymetric with their SAP system. At the time, I remember having a conversation with the IT guy regarding an annual audit that they needed to pass for accepting credit cards. Whilst it was of minor interest at the time, it did not have any major impact on the implementation. Little did I know how significant that conversation actually was. Huge changes were about to affect the payment card industry.
What led to the Payment Card Industry Change?We have all seen the news headlines in the last few years, where hundreds of thousands of credit card numbers have been stolen or in some cases "misplaced". I have been on the receiving end at least 3 times, where my credit card has been compromised and led to the issuance of a new payment card. Fortunately, the payment card industry has been very vigilant to strange activity on credit cards. And I have never been held responsible for those charges. But the net result has been millions (if not billions) of dollars lost due to credit card fraud.
New Payment Card Industry Data Security Standard (PCI DSS)Since September 30 2007, all companies (merchants and payment card service providers) that deal with credit cards, have been subject to strict new security standards. These standards were developed by the PCI Security Standards Council, which is a consortium of the biggest international payment card issuers (comprising of American Express, Visa International, MasterCard Worldwide, Discover Financial Services and JCB International). In order to ensure PCI compliance, all merchants and service providers are audited annually. These new requirements along with the accompanying audits, have added significantly to the cost overheads for these companies.
What are the PCI Standards?There are 12 PCI requirements in total that address 6 different areas of vulnerability that need to be met.
Build and Maintain a Secure Network
- Requirement 1: Install and Maintain a Firewall to protect cardholder data
- Requirement 2: Make sure you create and use your own strong passwords (don't use vendor supplied passwords)
Protect Cardholder Data
- Requirement 3: Protect stored Cardholder data
- Requirement 4: Encrypt data transmission of cardholder data across public networks
Implement a Vulnerability Management Program
- Requirement 5: Use and regularly update Anti-Virus programs and measures
- Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control
- Requirement 7: Restrict access to cardholder information to strict business need-to know personnel
- Requirement 8: Each person needs to be assigned a unique ID for computer access
- Requirement 9: Restrict the physical access for cardholder data
Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
- Requirement 12: Maintain a security policy that includes both employees and contractors
PCI Compliance & PCI Audit RequirementsThe level of the annual PCI audit depends on the number of payment card transactions that your company processes. But in general, there are 2 annual audit requirements:
- A PCI data security assessment (on site or self assessment)
- A Third party network scan (quarterly or annually)
Consequences of Non PCI DSS ComplianceThere are 4 main potential consequences:
- Card Companies may impose fines up to $500,000 on the Banks if their merchants are not complying.
- Merchants could risk losing their ability to process credit cards
- Business's whose cardholder data has been compromised, are obliged to notify legal authorities and provide free credit-protection services to those who are affected.
- Cardholder's may sue you. This may lead to bad publicity and potential loss of business.
I hope this brief overview of PCI DSS has been informative.
Feel free to add Comments and Questions.