|
Credit card theft is costing the U.S. economy an estimated $500 million a year1 and the cost to the economy has increased at 21% annually over the last two years2. In an effort to curb the sharp rise and strikingly large impact of credit card theft, the top five payment card brands - American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International - have formed the Payment Card Industry (PCI) standards council. This council has defined security guidelines in the form of the PCI Data Security Standard or the PCI DSS that applies globally to all merchants and service providers that store, process and transmit credit card data.
The PCI DSS standard consists of "a set of comprehensive requirements for enhancing payment account data security" that includes twelve major security requirements to secure payment account information and testing methodologies to ensure these requirements are met.
On January 1, 2007, a new revision of the PCI DSS, called PCI DSS v1.1, went into effect. PCI DSS v1.1 succeeds the PCI DSS January 2005 (a.k.a PCI v1.0), which succeeds the VISA CISP standard. With PCI DSS v1.1, requirements have been added to, clarified and modified to reflect changes in the security landscape since 2004 and to offer alternatives for retailers to make compliance more practical.
The increasing adoption of WLANs creates a new set of security threats and vulnerabilities to networks in retail stores that carry credit card data. To this end, PCI DSS v1.1 provides specific security requirements for different wireless LAN applications- from wireless in-store inventory applications to applications such as wireless Point-Of-Sale that wirelessly transmit payment card information. There are even requirements for retailers that do not operate wireless LANs, but may come in contact with them in ways that could impact the security of the retailer's connection to the credit card processing network. This paper describes the requirements and solutions for all requirements that relate to wireless LANs in the new PCI DSS v1.1.
PCI Compliance
PCI compliance, mandatory for retailers worldwide, has direct and indirect business benefits. First, no retailer who is PCI-compliant has ever been a victim of credit card theft. More than the direct cost savings of avoiding a breach, there is a tacit benefit to the retailer's brand. The threat of identity theft to consumers is real. Consumers are not likely to remain loyal to brands to which they can't trust their private information.
Secondly, there are bank imposed monetary penalties that apply if a retailer is found out-of-compliance. While the PCI standards council defines the security standard and facilitates the compliance process, compliance is enforced by each of the payment card brands. As an example, Visa USA (the US arm of one of the five major banks) stated that it alone levied $4.6 million in penalties in 2006. Penalties levied on a retailer vary based on numerous parameters such as the number and magnitude of incidents, etc. Penalties are imposed in the form of monthly cash payments, lump-sump cash payments or increases in credit card transaction fees.
Getting PCI compliance requires adhering to security requirements outlined in the PCI security standard. Retailers filing for first-time compliance or submitting for annual re-compliance after January 1, 2007 must meet security requirements outlined in the PCI DSS v1.1 standard. The PCI standards council has outlined a compliance process that includes security assessments, security scans and questionnaires. The exact process varies depending on the "level" to which a retailer belongs. This level is usually determined by the number of credit card transactions a retailer handles per year. The higher the number of transactions, the more involved is the certification process, including third-party validation..
What's New with PCI v1.1?
In May, 2006, the PCI DSS was updated to version 1.1 to "foster broad adoption by acknowledging practical implementation issues, incorporating partner and customer feedback, while maintaining the robustness of security measures." The updates to the standard fall into three general categories: Clarification of requirements set forth in the first version of the standard.
- Adding an element of flexibility with compensating controls to allow for technology or business constraints.
- Addition of security measures to keep up with the latest trends and vulnerabilities.
|
