|
A major advertising campaign by Visa states that the card is accepted "everywhere you want to be." Unfortunately (and through no fault of Visa), a great deal of credit card data and other sensitive information has ended up in a lot of places that people would rather want it not to be. It seems that not a day goes by without reports of a high-profile credit card or credit data loss or compromise. The Washington Post has dubbed 2005 "the year of the data breach."
Unfortunately, these events are usually followed by calls in the press and government for additional data protection legislation. Representative Edward Markey of Massachusetts cited the infamous CardSystems, Inc. security breach (causing the theft of up to 40 million credit card records) as an event that "only underscores the need for new federal legislation to protect American consumers." The rash of data loss and compromise incidents even caused the CISO of one of the victimized companies to remark that "Intervention is good... but the toughest part about legislation right now is you don't know where it's coming from and you don't know what to expect."
Long before these recent incidents and calls for legislation, however, Visa created a private standard known as CISP, or the Cardholder Information Security Program, which applied to all Merchants and Service Providers that handle Visa payments or card data. This program began in 2001, but more recently, Visa and American Express, Diner's Club, Discover, JCB and MasterCard collaborated to create a new set of standards, based on CISP, known as PCI (DSS) (Payment Card Industry Data Security Standard). All merchants and service providers that handle, transmit, store or process information concerning any of these cards, or related card data, were required to be compliant with PCI as of June 30, 2005.
In September 2006, the PCI Security Standards Council released the new PCI Data Security Standard v1.1. This paper discusses the basic requirements of PCI, with a focus on the administrative and technical elements of the program. It also reviews the validation requirements of the standard and potential sanctions for failure to comply.
The Basics of PCI:
Who Must Comply, Compliance Requirements, Validation Requirements and Sanctions
Before exploring the details of the compliance and validation requirements, it is important to have a basic working knowledge of the "who, what, why and when" of PCI. First, it is important to note that PCI is not a law: It is a private security standard that members, merchants and service providers must follow pursuant to their contracts with the credit card companies. Although PCI is not a law, it is enforceable by the credit card companies through contractual penalties or sanctions that include revocation of the company's right to accept or process credit card transactions.
PCI applies to all members, merchants and service providers that store, process or transmit cardholder data5, whether that data is received in a point of sale, phone, e-commerce or other type of transaction. It applies
to all "system components," which PCI defines as "any network component, server, or application included in, or connected to, the cardholder data environment." Although the details differ slightly for each of the credit card companies that require PCI compliance, the PCI DSS is made up of a set of 12 individual compliance requirements (each of which includes more detailed compliance steps), organized around six primary goals, all of which add up to a comprehensive information security program for protecting credit card numbers and other sensitive cardholder data from loss or compromise.
In addition to the compliance requirements, PCI also contains ongoing validation requirements. These requirements differ somewhat from one credit card company to another, but the most comprehensive requirements (Visa and MasterCard) include three levels of validation: (1) an on-site security audit; (2) a self-assessment questionnaire, and; (3) a network scan. The level of validation required, and the frequency of validation efforts, depends upon the rating assigned to the Merchant or Service Provider under PCI, which is based on risk and transaction or account volume.
Last, the PCI program also includes monetary penalties and other contractual sanctions for failure to meet its requirements.
|
