|
The Payment Card Industry Locks Down Customer Data
The last several years have seen an unprecedented assault on personal and financial data that customers have knowingly or unwittingly entrusted to retailers, banks, service providers and credit card companies. Bank of America, BJ’s Wholesale Club, CardSystems Solutions, Choicepoint, Citigroup, DSW Show Warehouse, Hotels.com, LexisNexis, Polo Ralph Lauren and Wachovia are just a few of the names that have been boldly exposed in the media and pummeled in the financial markets after major data security breaches were revealed. Credit card data in particular has been compromised so frequently that calls for government intervention and regulation became widespread.
Taking another approach, the payment card industry countered the criminal onslaught with a homegrown security initiative that is at once broader in scope and more granular in its requirements than any measures additional government regulation might have imposed. The Payment Card Industry Data Security Standard is a comprehensive security standard that establishes common processes and precautions for handling, processing, storing and transmitting credit card data.
PCI, as it is almost universally known, was originally developed by MasterCard and Visa through an alignment of security requirements contained in the MasterCard Site Data Protection Plan (SDP) and two Visa programs, the Cardholder Information Security Plan (CISP) and the international Account Information Security (AIS). In September of 2006, a group of five leading payment brands including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International jointly announced formation of the PCI Security Standards Council, an independent council established to manage ongoing evolution of the PCI standard. Concurrent with the announcement, the council released version 1.1 of the PCI standard.
Compliance Requirements of the PCI Data Security Standard
The PCI Data Security Standard requirements apply to all payment card network members, merchants and service providers that store, process or transmit cardholder data. The core requirements are organized in six categories.
Participation and Validation Requirements
While the newly-established PCI Security Standards Council will manage the underlying data security standard, compliance requirements are set independently by individual payment card brands. While requirements vary between card networks, MasterCard’s Site Data Protection Plan and Visa’s Cardholder Information Security Program are representative. They stipulate separate compliance validation requirements for merchants and service providers, which vary depending on the size of the company. Compliance levels are defined based on annual transaction volume and corresponding risk exposure as outlined in figure 2.
Validation Requirements
Annual on-site security audits – MasterCard and Visa require the largest merchants (level 1) and service providers (levels 1 and 2) to have a yearly on-site compliance assessment performed by a certified third-party auditor. Annual self-assessment questionnaire – In lieu of an on-site audit, smaller merchants (levels 2, 3 and 4) and service providers (level 3) are required to complete a self-assessment questionnaire to document their security status. Quarterly external network scans – All merchants and service providers are required to have external network security scans performed quarterly by a certified third-party vendor. Scan requirements are rigorous: all 65,535 ports must be scanned, all vulnerabilities detected of level 3-5 severity must be remediated, and two reports must be issued—a technical report that details all vulnerabilities detected with solutions for remediation, and an executive summary report with a PCI approved compliance statement suitable for submission to acquiring banks for validation.
Validation Enforcement
While non-compliance penalties also vary among major credit card networks, they can be substantial. Participating companies can be barred from processing credit card transactions, higher processing fees can be applied; and in the event of a serious security breach, fines of up to $500,000 can be levied for each instance of non-compliance.
Since compliance validation requirements and enforcement measures are subject to change, merchants and service providers should closely monitor the requirements of all card networks in which they participate.
Selecting a PCI Network Security Testing Service
At first exposure, PCI compliance and validation requirements can appear daunting, particularly the external scan requirement. Merchants can simplify the selection process by establishing a few key selection criteria.
|
