|
Identity theft and credit card fraud is a large and growing problem. The Federal Trade Commission estimates that almost 10 million consumers were affected last year, at a cost of close to $50 billion. In order to combat this growing menace, Visa, MasterCard, American Express, Diners Club, Discover and other major credit card providers joined together to introduce a compliance standard - the payment Card Industry (PCI) Data Security Standard. The standard unites and supersedes the individual compliance standards such as Visa's CISP and MasterCard's SDP standards that were in place prior to the introduction of PCI. This program is intended to protect cardholder data wherever it resides, ensuring that members, merchants and service providers maintain the highest levels of information security. The PCI standard came into effect on December 14th, 2004, and merchants and service providers are required to be PCI compliant by June 30th, 2005.
Like all compliance programs, PCI consists of two separate components, both of which must be implemented in order to be PCI compliant:
1. Compliance with PCI requirements
2. Validation of PCI compliance
Each of these components is discussed in more detail below. PCI Requirements PCI mandates that all merchants follow twelve requirements, listed below. In addition, there is an implicit thirteenth requirement to verify compliance with PCI ? often overlooked but an integral part of any PCI compliance program.
PCI Requirements
1 Install and maintain a firewall configuration to protect data
2 Do not use vendor-supplied defaults for passwords and security parameters.
3 Protect stored data
4 Encrypt transmission of cardholder data and sensitive information across public networks
5 Use and regularly update anti-virus software
6 Develop and maintain secure systems and applications
7 Restrict access to data by business "need to know"
8 Assign unique ID to each person with computer access
9 Restrict physical access to cardholder data
10 Track and monitor all access to network resources and cardholder data
11 Regularly test security systems and processes
12 Maintain a policy that addresses information security.
PCI Compliance
13 Verify PCI compliance
The requirement to verify PCI compliance is discussed in more detail in the next section.
PCI Compliance
The first thing to note about PCI compliance is that the cost of non-compliance is high. In the event of a security breach, merchants must immediately investigate the incident and limit the exposure of cardholder data, must immediately notify the appropriate credit card entity and report on its investigation of the incident. Merchants or service providers that have been compromised but found to be PCI compliant at the time of the security breach will not be fined. However, any merchant or service provider that is compromised and not PCI compliant at the time of the breach, is subject to fines - up to $500,000 per incident. Credit card issuers divide its merchants into four levels based on the number of transactions processed every year.
Each level is subject to a different set of compliance activities, with the strictest rules applied to level 1 merchants. In addition to transaction volume, any merchant that suffered a hack or an attack that resulted in account data compromise will automatically be required to meet level 1 compliance requirements. Further, the card issuer may, at their discretion, require any merchant in its network to meet level 1 requirements. In view of this, our recommended best practice is to follow level 1 requirements regardless of activity level. This white paper will focus on the compliance validation activities required of level 1 merchants.
Participating merchants must pay for their own PCI compliance assessment, and the cost of compliance depends on the extent to which they are already in compliance. A level 1 merchant needs to submit an annual Report on Compliance, validated by an approved independent auditor, or by an internal audit department, provided that a letter signed by an executive-level officer of the company accompanies the report. For level 1 merchants required to undergo an annual compliance review, the scope of validation is focused on systems or system components related to authorization and settlement where cardholder data is processed, stored, or transmitted. The Solidcore Solution Solidcore provides categorical control over IT infrastructure, enabling retailers and other merchants to fulfill PCI requirements and validate PCI compliance in an efficient and cost-effective manner.
|
