In 2004, all major bankcards—Visa, MasterCard, Discover, and American Express—adopted a single, unified program as the standard for data security. The new standard, called the Payment Card Industry Data Security Standard or PCI, is intended to protect cardholder data—wherever it resides or is transmitted—and requires that merchants and service providers that store, process, or transmit cardholder data meet specific security requirements.
Ensuring compliance with the PCI standard is important to organizations for a number of reasons, particularly to protect brand reputation and to avoid fines and additional regulatory scrutiny. In fact, the October 1, 2006 issue of the Wall Street Journal highlighted new efforts at Visa to step up PCI compliance enforcement and discussed heavy fines that have been levied on some of the nation’s largest retailers.
Who Must Be In Compliance?
At the most fundamental level, any company that comes into contact with credit card information must be in compliance with the PCI Data Security Standard.
There are varying levels of compliance proof or validation, however, with specific requirements for merchants and specific requirements for service providers, as well as distinct compliance levels based on the number of transactions processed annually by the merchant or service provider.
For more introductory information about the Payment Card Industry Data Security Standard, download the Ecora whitepaper: Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain Payment Card Industry Compliance. For a detailed look at PCI requirements 1, 2, 3, and 4, download the Ecora whitepaper: Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain Payment Card Industry Compliance: An in-depth look at Payment Card Industry Data Security Standard Requirements 1, 2, 3, 4. For a detailed look at PCI requirements 5, 6, 7, 8, and 9, download the Ecora whitepaper: Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain Payment Card Industry Compliance: An in-depth look at Payment Card Industry Data Security Standard Requirements 5, 6, 7, 8, 9.
Meeting the PCI Data Security Standard Requirements
The Payment Card Industry Data Security Standard establishes twelve requirements that companies must follow to ensure the security of credit card data. These requirements span every aspect of an organization’s operation—from business processes to the configuration of the IT infrastructure—and fall into six major control objectives:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Scope of Assessment for PCI Compliance
The PCI Data Security Standard requirements apply to all “system components” or any network component, server, or application that is included in or connected to the cardholder data environment. This means that even remote employees who have access to cardholder data must be in compliance with PCI.
A service provider or merchant may use a third-party provider to manage system components, but because there may be an impact on the security of the cardholder data environment, the services of the third-party provider must be evaluated either in 1) the PCI audits of the third-party provider’s clients or 2) the third-party provider’s own PCI audit. There is really no distinction between your environment and an outsourced environment.
For merchants required to undergo an annual on-site review, the scope of compliance validation is focused on any system or system components related to authorization and settlement where cardholder data is stored, processed, or transmitted. Service providers required to undergo an annual on-site review must perform compliance validation on all system components where cardholder data is stored, processed, or transmitted, unless otherwise specified.
During a PCI audit, auditors will typically select a sample of firewalls, routers, wireless access points, databases, applications, etc. that is large enough to validate findings representative of the entire environment. Importantly, the more standardized the environment—a single operating system, a single database vendor, etc.—and the more clearly configuration standards are defined, the smaller the sample required. Standardization provides valuable benefits, among them is reducing the scope of an audit.
