As of September 30th 2007 all businesses handling cardholder (irrespective of size) data must be fully compliant with strict security measures imposed by the leading credit card companies. Credit card theft is the most common form of identity theft (26%) as of 2006. With over 1.3 billion credit cards in circulation as of 2004, and over 33 billion dollars in balances on those cards, companies are finding their networks, and credit card systems under attack by thieves.
In order to protect cardholder data from theft or fraud, American Express, Visa, MasterCard, and Discover have developed what is known as PCI DSS ( Payment Card Industry Data Security Standards) These standards involve 12 steps needed become compliant, or face fines of up to $500,000, plus legal expenses, and even losing the ability to accept credit cards.
These twelve steps are:
1. Install and maintain a firewall to protect cardholder data
2. Do not use vendor supplied defaults for passwords or other security parameters
3. Protect stored cardholder data
4. Encrypt cardholder data across public networks (I.E. The Internet)
5. Use and regularly update antivirus software
6. Develop and maintain secure systems and applications
7. Assign a unique ID for each computer user
8. Restrict data access on cardholder data to a need to know basis
9. Restrict physical access to cardholder data
10. Track and monitor all access to network data
11. Regularly test security systems and processes
12. Maintain a policy for information security for employees and contractors
Compliance with PCI DSS, can be divided in to 3 main stages,
Collecting and storing: Secure collection and tamper-proof storage of all log data so that it is available for analysis.
Reporting: Being able to prove compliance on the spot if audited and present evidence that controls are in place for protecting data.
Monitoring and alerting: Have systems in place such as auto-alerting, to help administrators constantly monitor access and usage of data. Administrators are warned of problems immediately and can rapidly address them. These systems should also extend to the log data itself - there must be proof that log data is being collected and stored.
Businesses that accept, or process or disposes of credit card information are divided into two groups for PCI DSS purposes. The first group is defined as merchant, the other service provider. Merchants are generally retail, higher education, healthcare, travel, energy and finance businesses. The PCI DSS assigns such business into one of four different levels each with its own compliance process.
Level 1: A merchant has had data compromised or more than 6 million transactions per year. Level 1 merchants must have annual onsite security audits, and scan networks quarterly.
Level 2: Merchants between 1 -6 million transactions annually. Level 2 merchants must complete annual self assessments and quarterly network scans.
Level 3: Merchants with between 20,000 to 1 million transactions annually. Level 3 merchants must complete annual self assessments and quarterly network scans.
Level 4: All other merchants. Level 4 merchants must complete annual self assessments and quarterly network scans.
Service providers are those businesses that generally are in the payment gateway, host e-commerce sites, credit reporting agencies, paper shredding businesses. They fall into one of three different levels.
Level 1: All processors and payment gateways must have annual PCI DSS Security Assessments and quarterly network scans.
Level 2: Any service provider that is not level 1 and processes more than 1 million transactions, must have annual PCI DSS Security Assessments and quarterly network scans.
Level 3: Any service provider that is not level 1 and processes fewer than 1 million transactions, must complete annual self assessment and quarterly network scans.
What are the consequences of not complying?
Card companies may impose fines on their member banking institutions when merchants are found to be non-compliant with PCI DSS. Acquiring banks may in turn contractually oblige merchants to indemnify and reimburse them for such fines. Fines could go up to $500,000 per incident if data is compromised and merchants are found to be non-compliant. In the worst case scenario, merchants could also risk losing the ability to process customers' credit card transactions.
Businesses from which cardholder data has been compromised are obliged to notify legal authorities and are expected to offer free credit-protection services to those potentially affected.
There may be other consequences besides the fines. Cardholder data loss, whether accidental or through theft, may also lead to legal action being taken by cardholders. Such a step will result in bad publicity, which may in turn lead to loss of business.
Bruce Naylor
http://www.FrugalBrothers.Com
(260) 724-2748.
Bruce Naylor has been a CRM and IT specialist since 1985. Bruce and his wife Cindee founded Sales Automation Group in 1997 as a GoldMine VAR. They quickly grew the business to platinum level status. Bruce sold the company in 2001. In 2006 Again, Bruce and Cindee opened a new IT firm called FrugalBrothers.com. The company currently works to provide Microsoft small business solutions, as well as GFI network, and fax based products.