It's difficult to pick up a news report without reading about another data breach or case of identity theft. With so much personal and financial information stored and transmitted electronically, consumers are at greater risk than ever of becoming victims of fraud.
Whitepaper: PCI Compliance LaGarde E-Commerce Solutions25055 West Valley Parkway,Olathe, KS 66061913.489.0800913.489.0833www.lagarde.com
The Method Behind PCI's Madness
It's difficult to pick up a news report without reading about another data breach or case of identity theft. With so much personal and financial information stored and transmitted electronically, consumers are at greater risk than ever of becoming victims of fraud.
In a survey of 4,900 adults, approximately 8.3 million American consumers discovered that their personal information had been used in 2005 to open fraudulent bank, credit card or utility accounts, or used to commit other crimes, according to the U.S. Federal Trade Commission's (FTC) Identify Theft Survey Report.
The FTC also received more than 670,000 consumer fraud and identity theft complaints, of which 36% were identity theft com-plaints and 64% were related to other types of fraud. Consumers reported losses of more than $1.1 billion from fraud. Credit card fraud was the most common form of reported identity theft at 25%, followed by phone or utilities fraud (16%), bank fraud (16%) and employment fraud (14%).
Many of these cases could have been lessened or prevented if the proper processes, network management systems and technolo-gies had been in place. In response to this alarming trend, a consortium of companies-MasterCard, VISA, American Express, Dis-cover and JCB-established data security measures for merchants, banks and service providers. The Payment Card Industry Data Security Standard (PCI DSS, often referred to as PCI) is a multifaceted standard that includes requirements for security manage-ment, policies, procedures, network architecture, software design and other critical protective measures.
The PCI DSS addresses both technical and administrative weaknesses, specifically those affecting sensitive cardholder data, and lists requirements companies must meet to minimize the impact of those vulnerabilities on security.
The goal of PCI is to improve data protection strategies that will allow consumers to swipe their credit cards with more trust that the confidentiality of their information will not be compromised. PCI also creates an open security standard that is achievable by all merchants for the protection of cardholder data.
Core Principles
The PCI standard requires continuous validation of security efforts, so companies complying with PCI DSS can't simply implement solutions and then forget about them.
Ensuring Payment Card Industry (PCI) compliance requires an understanding of data storage and encryption requirements, device integration considerations and logging and reporting parameters for distributed networks. Organizations address the PCI require-ments by offering centralized management of security rules and policies across a distributed environment, real-time monitoring and logging services and historical compliance reporting.
1Whitepaper: PCI Compliance LaGarde E-Commerce Solutions25055 West Valley Parkway,Olathe, KS 66061913.489.0800913.489.0833www.lagarde.com
The core of the PCI DSS is a group of six principles and accompanying requirements, around which the specific elements of the DSS are organized:
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security Companies tend to have more success being compliant when PCI DSS is coordinated with corporate business processes. Integrat-ing the DSS with corporate security standards ensures that security controls are rigorously enforced... [download for more]
