The PCI Data Security Standard

WHITEpaper
The PCI?Data Security Standard:
It's Everywhere Your Credit Card Data Wants to Be
page 2 Introduction
page 2 The Basics of the PCI DSS: Who Must Comply, Compliance Requirements, Validation Requirements and Sanctions
page 4 Compliance Requirements:?12 Steps to Data Security?
page 5 Validation Requirements:?Maintaining and Demonstrating Compliance
page 6 Arriving Where You Want to Be:?PCI?Implementation
1Daniel J. Langin, Attorney at Law LLC ©2007 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved.WHITE?PAPERThe PCI?DSS:?It's Everywhere Your Credit Card Data Wants to Be
IntroductionA major advertising campaign by Visa states that the card is accepted "everywhere you want to be." Unfortunately (and through no fault of Visa), a great deal of credit card data and other sensitive information has ended up in a lot of places that people would rather want it not to be. It seems that not a day goes by without reports of a high-profile credit card or credit data loss or compromise. The Washington Post has 2dubbed 2005 "the year of the data breach ."
Unfortunately, these events are usually followed by calls in the press and government for additional data protection legislation. Representative Edward Markey of Massachusetts cited the infamous CardSystems, Inc. security breach (causing the theft of up to 40 million credit card records) as an event that "only under-3scores the need for new federal legislation to protect American consumers ." The rash of data loss and compromise incidents even caused the CISO of one of the victimized companies to remark that "Intervention is good. but the toughest part about legislation right now is you don't know where it's coming from and you 4don't know what to expect ."
Long before these recent incidents and calls for legislation, however, Visa created a private standard known as CISP, or the Cardholder Information Security Program, which applied to all Merchants and Service Providers that handle Visa payments or card data. This program began in 2001, but more recently, Visa and American Express, Diner's Club, Discover, JCB and MasterCard collaborated to create a new set of standards, based on CISP, known as PCI (DSS) (Payment Card Industry Data Security Standard). All merchants and service providers that handle, transmit, store or process information concerning any of these cards, or related card data, were required to be compliant with PCI as of June 30, 2005.
In September 2006, the PCI Security Standards Council released the new PCI Data Security Standard v1.1. This paper discusses the basic requirements of PCI, with a focus on the administrative and technical elements of the program. It also reviews the validation requirements of the standard and potential sanctions for failure to comply.
The Basics of PCI: Who Must Comply, Compliance Requirements, Validation Requirements and SanctionsBefore exploring the details of the compliance and validation requirements, it is important to have a basic working knowledge of the "who, what, why and when" of PCI. First, it is important to note that PCI is not a law: It is a private security standard that members, merchants and service providers must follow pursuant to their contracts with the credit card companies. Although PCI is not a law, it is enforceable by the credit card companies through contractual penalties or sanctions that include revocation of the company's right to accept or process credit card transactions.
5PCI applies to all members, merchants and service providers that store, process or transmit cardholder data , whether that data is received in a point of sale, phone, e-commerce or other type of transaction. It applies
1 Daniel J. Langin is the principal of Daniel J. Langin, Attorney at Law, LLC. He has over 16 years of experience in private and corporate practice, including ten years of experience in technology, insurance coverage and intellectual property litigation and counseling. For more information, see www.langinlaw.com or contact Daniel at (913) 661-2430 or dlangin@langinlaw.com. This article is provided for general educational and informational purposes. It is not intended to provide legal advice. 2 "Firm Says Up to 40m Credi... [download for more]