PCI Compliance - It's Not Just for Merchants

All merchants and organizations that store, process or transmit cardholder data (whether that be in person, over the phone, online or by mail) are required to adhere to strict data security standards.  The Payment Card Industry Security Standards were developed by the PCI Security Standards Council (PCI SSC), which was launched in 2006 by the major card brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa).  Security standards were developed for the protection of cardholder data in a global, consistent manner and include requirements for the Data Security Standard (PCI DSS), which applies to any entity that stores, processes or transmits cardholder data, Payment Application Data Security Standard (PA-DSS), for software developers and integrators of applications, and PIN Transaction Security (PTS) for manufacturers of financial transaction devices that store person identification numbers (PINs).

What Businesses Need To Do

The PCI DSS Goals and Requirements were developed to be easily understood.  They include:

Goals	PCI DSS Requirements
Build and Maintain a Secure Network	1.       Install and maintain a firewall configuration to protect cardholder data 2.       Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data	3.       Protect stored data 4.       Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program	5.       Use and regularly update anti-virus software or programs 6.       Develop and maintain secure systems and applications
Implement Strong Access Control Measures	7.       Restrict access to cardholder data by business need-to-know 8.       Assign a unique ID to each person with computer access 9.       Restrict physical access to cardholder data
Regularly Monitor and Test Networks	10.   Track and monitor all access to network resources and cardholder data 11.   Regularly test security systems and processes
Maintain an Information Security Policy	12.   Maintain a policy that addresses information security for all personnel

Businesses need to be proactive from the gate.  To avoid non-compliance and possible data security risks they need to stay ahead of the pack by educating their stakeholders and employees about compliance, working closely with their payment processing provider, checking the PCI SSC site regularly for updates, as well as staying abreast of any pertinent news from the card companies (each card brand has its own set of rules for compliance as well – see the links provided below). 

What happens if a business encounters a data breach or is found to be non-compliant?  Aside from the risk of compromising cardholder data and possibly losing trust in their customers, the business can be fined by the card associations and/or forced to undergo a forensic audit, which can be costly.  Merchants are having a tough enough time in this economy and should not jeopardize their business further by using risking non-compliance and incurring costs that can be otherwise avoided. 

Resources

·         PCI SSC: https://www.pcisecuritystandards.org/

·         American Express: www.americanexpress.com/datasecurity

•        Discover Financial Services: www.discovernetwork.com/fraudsecurity/disc.html

•        JCB International: www.jcb-global.com/english/pci/index.html

•        MasterCard Worldwide: www.mastercard.com/sdp

•        Visa Inc: www.visa.com/cisp (U.S.)

Connex Info Systems, Inc.

Connex Info Systems is a global IT services company specialized in developing software applications in the Payment Card Industry. The unique combination of industry knowledge, real-world experience and cost-effective service offerings has provided an edge and helped Connex evolve as one of the leading technical solutions providers in this industry.

With corporate headquarters in Irvine, CA and software development centre in Bangalore, India, Connex offers you the convenience and security of working with a reliable U.S. corporation plus all the benefits of a highly affordable offshore outsource development team. With resources available onshore and offshore, we work with you to design a suitable model that fits your needs with a combination of onsite, onshore and offshore development.

Our goal is to become your long term, trusted outsource software development partner. Our teams become an extension of your in-house IT team, dedicated to meeting your software development needs today, and growing with you as your needs evolve.

Between our in-house resources and immediate access to college educated, highly skilled developers, we are able to create teams according to your requirements, with exactly the skills and experience you need. Whether you need one top notch technical specialist or a team with diverse skill sets to extend your own internal resources, Connex can meet your needs quickly and affordably.