Industry View

Payment Card Industry Compliance

Ignoring the PCI Data Security Standard is risky business. Heres how you can prepare for compliance.

By Joan Herbig

August 10, 2006CSO

When electronic commerce made its debut in the roaring 90s, it opened up a whole new way to do businessand a whole new set of challenges. The Cardholder Information Security Program (CISP) was first created by Visa as a response to the emergence of e-commerce, a new payment acceptance methodology. MasterCard, American Express and Discover Card also agreed with the need for a new data-protection standard, and in 2004 the CISP requirements became part of a new industry standard known as the Payment Card Industry (PCI) Data Security Standard. PCI pertains to all companies that use, process or store cardholder data, including small and mid-size retailers. This standard mandates that companies that use cardholder data meet new security standards, including completing quarterly network scans and annual assessments or audits.

Ignoring PCI is certainly an option, but it entails more risks than most companies areor should bewilling to take. When customers offer their cards at the point of sale, whether over the Internet or on the phone, they want assurance that their account information is safe, not just at the retailer accepting their payment information, but all the way down the chain, including all companies processing and storing that information. If hackers compromise a system, a companys reputation can be damaged beyond repair. Further, noncompliance in the Visa world, when confirmed during the course of a forensics investigation, can result in financial penalties of up to $500,000. In other words, the negative impact of noncompliance is severe in terms of both the companys financial position and image, not to mention the expenses that could be incurred defending against litigation and containing PR damage.

What Does PCI Require of Me?

According to the creators of the standard, the more transactions a company processes, the more interesting it will be to hackers, as criminals seek targets with the largest amounts of data. As a result, according to PCI standards, merchants that process more than 6 million transactions a year are particularly at risk and need to adhere to a more rigorous compliance process. For merchants, this typically involves an annual independent review or an internal audit and an independent quarterly scan.

For merchants that process fewer transactions than the benchmark of 6 million per year, the compliance process is less rigorous. However, it does require an annual self-assessment and independent quarterly scans. Retailers that process fewer than 20,000 transactions annually are recommended to take the same measures.

PCI requirements run the gamut from basic security precautions to more advanced security policies and procedures. The requirements include using and regularly updating antivirus software, maintaining secure systems and applications, restricting access to data to those who absolutely need it and assigning unique ID numbers to each person with computer access.

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors