Profiting from PCI Compliance

September 2007
Profiting from PCI compliance.Profiting from PCI compliance.Page 2
Executive summaryContents Working together, the major payment card providers have developed a set of data security standards and created a council for enforcing them. Although 2 Executive summary the Payment Card Industry Data Security Standard (PCI DSS) has become a 2 Rethinking PCI requirements global requirement, many organizations are lagging in compliance. For many 3 Mapping PCI compliance to companies, regulatory compliance can already be an overwhelming and confus-your overall governance and ing area to navigate, and the need to comply with the PCI DSS might feel like risk management strategy yet another burden. 5 Understanding the challenges of becoming compliant However, IBM believes that the PCI standard should instead be seen as an oppor-6 Recognizing the value of out- tunity for your organization. The standard is so well designed that it can actually side assistance in achieving serve as the foundation of your risk management strategy going forward. This PCI compliance paper explores the efficiency gains of building a strategy designed around PCI 6 Selecting a third-party vendor compliance. As it discusses the value of obtaining outside support in your compli-7 Why IBM? ance efforts, it also examines potential vendor qualifications.
Rethinking PCI requirementsA number of high-profile security breaches and identity theft operations have driven several companies out of business and highlighted the need for security protocols that protect card data. In the largest payment card breach to date, TJX experienced approximately 45 million stolen customer records. Smaller breaches, though less likely to generate headlines, have nevertheless threatened to under-mine consumer confidence and put businesses that accept card payments at risk.
The standard itself was created as a joint effort by Visa International and MasterCard Worldwide. Then, in September 2006, these two payment card providers joined American Express, Discover Financial Services and JCB to form the PCI Security Standards Council and extend the standard globally across the card brands. Profiting from PCI compliance.Page 
While the PCI standard might seem like another snarl of red tape to companies The six categories of PCI best practices already burdened with financial services industry regulations such as International Taken together, the six areas of data protection Organization for Standardization (ISO)/International Electrotechnical Commission prescribed by the PCI standard help you build (IEC) 27002 and the Sarbanes-Oxley Act, the standard can actually simplify your a comprehensive approach to overall security. They address security concerns from network job enormously. It is so comprehensive and well designed that it can be seen as a protection to security governance policies. compliance enabler for a broad set of industry regulations. And because privacy is a core concern for almost all businesses, PCI standard compliance supports your . Build and maintain a secure network. bottom line.- Create a firewall to secure cardholder data.- G o beyond vendor defaults for passwords and other security parameters. In fact, the PCI standard can actually become the central principle around which . Protect cardholder data. your overall governance and risk management strategy can be organized. By - Protect stored data. adopting the PCI standard as a best practice and aligning its security measures - Encrypt data transmission. with your business processes, you will likely see significant gains in efficiency and . M aintain a vulnerability management program. data security. A review of the sidebar on this page illustrates that the practices that - E mploy and update anti-virus software.- D evelop and maintain application security. comprise the PCI standard are best practices for any security strategy, period. . Implement strong access control measures.- Restrict access to cardholder data on a Who must comply with the PCI Data Security Standard?need-to-know basis.- A ssign a unique ID to each authorized user. All merchants and service providers that store, process, use or transmit - R estrict physical access to cardholder data. payment cardholder data must comply with the standard. The standard is . Regularly monitor and test networks. enforced by the card companies and their acquirer banks.- T rack ... [download for more]