Wednesday, 9 April 2008

What is the PCI Anyway?

The Payment Card Industry Data Security Standard, or PCI, lists 12 items that retailers, online merchants, data processors and other businesses that handle credit card data will have to start meeting by June 1. PCI Data Standard combines components of MasterCard's SDP security compliance program and Visa's Cardholder Information Security Program (CISP)
Specifications of the program require that merchants:

  1. Install and maintain a working network firewall to protect credit card data from other networks, including the Internet.
  2. Keep security patches up to date on all systems involved with credit card data.
  3. Encrypt stored credit card data.
  4. Encrypt data sent across networks using acceptable methods.
  5. Use and regularly update anti-virus software.
  6. Restrict access to data by business "need to know."
  7. Assign a unique User ID to each person with computer access to data to provide accountability.
  8. Do not use vendor-supplied defaults for system accounts and passwords and other security parameters.
  9. Monitor and log access to data by unique User ID.
  10. Test security systems and processes.
  11. Implement and maintain a security policy and processes. This includes assigning responsibility within the organisation
  12. Restrict physical access to cardholder information.

The PCI program applies not only to online merchants, but also mail-order, telephone order (MOTO) third party processing agents, "card-not-present" processes, and anyone who stores cardholder data on an electronic system.

Most small merchants will need to conduct an external vulnerability assessment to be compliant.

Why comply with these standards?
VISA argues that the program will provide merchants with a competitive edge. They point to consumer studies which show that customers would prefer to deal with merchants they feel safe with.

For the smaller merchants, this is basically a risk issue. These retailers need to address at the cost of implementing control systems against the cost of business and particularly the cost of not complying.

How does this affect my business?
Many POS systems used by retailers store credit card information for up to a month for backup or settlement reasons. Under the PCI requirements, this information needs to be encrypted.
Retailers will need to review, what data they capture and forward when they scan a credit card in stores. Merchants who store card data for automated processing later, will need to carefully review the systems and the controls around them.

For most small retailers, a quarterly external vulnerability assessment is a basic requirement. With the level of threats on the Internet these days, this can only be a good thing.
How can they make me comply?

The card companies are primarily pushing PCI through the acquirer is such as the banks. As the principle underwriters of the merchants, the banks and other acquirers are responsible for the fines and don’t want to have to accept the liability. Many acquirers are making PCI compliance part of the merchant agreements.

No comments: