As we all know, the PCI Data Security Standard (DSS) is a set of requirements for implementation of security measures. If you sell products or services that store, process or transmit cardholder data your company must comply to the PCI DSS (stands for Payment Card Industry); if not – you can be held liable and fined heavily if credit card data is compromised.
The acronym PCI stands for Payment Card Industry and it is applied to all organizations that process, store or transmit credit card information. The initial members of the Council were American Express, Discover, JCB International, MasterCard Worldwide and Visa Inc.; the latter four now jointly run the group as these are today the only companies that process the majority (90%) of all global credit card transactions.
This guide will help you understand what PCI compliance is, how it works and why it’s important for every company to become compliant before the deadline – April 2010; if your organization doesn’t comply with PCI by then – don’t be surprised when one day you get a call from your merchant bank and hear them say: “you have been breached”.
What does PCI compliance encompass?
The standard consists of 12 requirements that cover everything from secure building access to the use of firewalls, software design, penetration testing and management reporting. Here is a short list of the basics that every company must achieve in order to be PCI compliant:
Build and maintain a secure network Install and maintain firewall configuration according to industry best practices Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored data Encrypt transmission of cardholder data across open, public networks Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly monitor and test networks for vulnerabilities.
What about companies that need to comply PCI DSS?
If you process over 6 million transactions per year, handle sensitive health care information or operate in a regulated industry such as banking, credit cards or gaming; you need to comply with PCI DSS and become compliant before the deadline on January 1st, 2010.
- Fines: Fines can be as high as US$500,000 for noncompliance and if your organization is not currently up to standard it is more than likely that you will receive a call from your merchant bank or acquirer before the end of 2009.
- Merchant bank: The merchant bank is the financial institution that has a relationship with your business, processes credit card transactions and authorizes/declines transactions on behalf of your customers. If you are not PCI compliant – it will be very difficult to convince them that their customer data in your system is secure. It is more than likely that they will send you a letter by the end of 2009 saying something to the effect of: “In order for us to continue our relationship we need you to become PCI compliant.”
- Acquirer: The acquirer is a financial institution that has a relationship with your acquiring bank and provides card acceptance services on behalf of your business; they typically have the final say in whether or not you can accept credit cards and if you fail to become compliant – it will be very difficult for them to allow customers use their payment cards on your website. The acquirer may also terminate its relationship with your acquiring bank if it determines that the merchant is unable to keep sensitive cardholder data secure.