All merchants and organizations that store, process or transmit cardholder data (whether that be in person, over the phone, online or by mail) are required to adhere to strict data security standards. The Payment Card Industry Security Standards were developed by the PCI Security Standards Council (PCI SSC), which was launched in 2006 by the major card brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa). Security standards were developed for the protection of cardholder data in a global, consistent manner and include requirements for the Data Security Standard (PCI DSS), which applies to any entity that stores, processes or transmits cardholder data, Payment Application Data Security Standard (PA-DSS), for software developers and integrators of applications, and PIN Transaction Security (PTS) for manufacturers of financial transaction devices that store person identification numbers (PINs).
What Businesses Need To Do
The PCI DSS Goals and Requirements were developed to be easily understood. They include:
Goals | PCI DSS Requirements |
Build and Maintain a Secure Network | 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters |
Protect Cardholder Data | 3. Protect stored data 4. Encrypt transmission of cardholder data across open, public networks |
Maintain a Vulnerability Management Program | 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications |
Implement Strong Access Control Measures | 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data |
Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes |
Maintain an Information Security Policy | 12. Maintain a policy that addresses information security for all personnel |
Businesses need to be proactive from the gate. To avoid non-compliance and possible data security risks they need to stay ahead of the pack by educating their stakeholders and employees about compliance, working closely with their payment processing provider, checking the PCI SSC site regularly for updates, as well as staying abreast of any pertinent news from the card companies (each card brand has its own set of rules for compliance as well – see the links provided below).
What happens if a business encounters a data breach or is found to be non-compliant? Aside from the risk of compromising cardholder data and possibly losing trust in their customers, the business can be fined by the card associations and/or forced to undergo a forensic audit, which can be costly. Merchants are having a tough enough time in this economy and should not jeopardize their business further by using risking non-compliance and incurring costs that can be otherwise avoided.
Resources