Until recently, ensuring compliance was most often viewed as an event rather than as a critical, ongoing business process. Taking a tactical approach, an organization would learn of an upcoming audit and then begin to prepare documentation and gather information in what was often a time-consuming and cumbersome manual process.
Today, however, with the growing pressure of government compliance requirements and industry regulations, ensuring continuous compliance need to become integrated into the way an organization does business. And, as is the case with any integrated business process, the ability to simplify and automate the process has had to become essential.
One new standard that is changing the way many organizations operate is the Payment Card Industry (PCI) Data Security Standard. When customers use their bankcard at the point of sale, over the Internet, on the phone, or through the mail, they want assurance that their account information is secure. To that end, in June 2001, Visa developed the Cardholder Information Security Program (CISP), a mandated security program for large Internet merchants. In 2004, all major bankcards—Visa, MasterCard, Discover, and American Express—agreed to adopt a single, unified security program as the standard for data security. The new standard, called the Payment Card Industry Data Security Standard or PCI, is intended to protect cardholder data—wherever it resides or is transmitted—and requires that merchants and service providers that store, process, or transmit cardholder data meet specific security requirements. Ultimately, PCI offers a systematic approach to safeguarding sensitive data for all card brands.
Why Is PCI Compliance Important?
Ensuring compliance with the PCI standard is important for a number of reasons, but perhaps the most significant reason is to protect brand reputation. The public scrutiny that accompanies any breach in security can be very damaging to an organization’s image.
Any organization doing business in California, for example, is required to disclose any security breach publicly under state regulation CA- 1386, and there is no faster way to lose customer confidence than to be forced to report publicly that credit card numbers have been stolen. In fact, a recent study by the Polemon Institute reports that data breach disclosures, in time, will result in the loss of as many as 20 percent of existing customers.
The second reason for ensuring compliance with the PCI standard is to avoid fines and additional regulatory scrutiny. Failure to comply with the PCI Data Security Standard can result in fines that range from $200,000 to $500,000 per security breach, as well as additional government - levied fines that can range from $5 million to $20 million. In addition, once an organization has failed a PCI audit, it is given an elevated risk status and becomes subject to more extensive PCI audits. The ultimate penalty can be a suspension of status and the loss of the ability to accept and process credit cards. Some organizations have even been forced out of business by a violation of the PCI Data Security Standard.
Who Must Be In Compliance?
At the most fundamental level, any company that comes into contact with credit card information must be in compliance with the PCI Data Security Standard.
There are varying levels of compliance proof or validation, however, with specific requirements for merchants and specific requirements for service providers, as well as various levels based on the number of transactions processed annually. A merchant that processes more than six million Visa transactions each year is assigned to “level 1,” as is an organization that has experienced a security breach, for example. Those at level 1 are subject to significantly higher levels of scrutiny than merchants at level 2, 3, or 4.
For service providers, there are three levels of compliance. Level 1 encompasses members and non-members of all payment gateways. Level 2 is made up of service providers who process more that one million transactions annually, and level 3 includes any service providers who are not in level 1 and who do less than one million transactions in any given year. Audits for PCI compliance vary depending on a merchant’s or service provider’s level.
