A Quick Intro to PCI Compliance

Sunday, March 7, 2010

(Members Only Software, Inc.)

What is PCI?
PCI (Payment Card Industry)  is an association of the major credit card issuers. The PCI-DSS (PCI Data Security Standard) is a list of twelve security requirements this groups has issued that merchant account holders are required to meet.

To whom do these standards apply?
According to the standard, "PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed or transmitted."  In other words, if you ever send a credit card number through to the bank for processing, you've got to pass muster.

Who monitors my compliance?

Your compliance with these standards is monitored by your "acquirer" -- the company at the other end of your credit card validation software or device. For MasterCard and Visa, this is your bank or credit card processor. For American Express and Discover, it is the card issuer itself. The largest credit card merchants are required to submit an extremely detailed report on their information security in order to verify compliance. But most organizations can simply fill in a self-assessment questionnaire and an attestation of compliance.

Is anyone actually paying attention?
While many organizations have just heard rumbles about PCI in their business communities, other organizations we work with have been told by their banks that they are out of compliance. This can lead to fees, fines, and at worse the loss of your merchant account. If you do have an incident where your credit card information is compromised, you will almost certainly be deemed out of compliance at that point.  And the number of these incidents is increasing. You owe it to your organization's donors, supporters, and customers to protect the information they've entrusted to you.

The biggest misconception we see among our clients is the idea that if they are using the right credit card processing system or software, they are compliant.
Of course there are requirements that payment applications must meet. These comprise a second standard known as PA-DSS (Payment Application Data Security Standard).  Failure to use secure software is a sure path to non-compliance. But using a compliant payment system is not enough to guarantee that you the merchant are yourself compliant. The entire security of your information system comes under the purview of the PCI. 

How do credit card thefts occur?

These statistics, which come from the PCI, show how neglecting basic security can easily lead to a compromise of sensitive data, and why the PCI standard addresses your security in general.

The 12  PCI DSS requirements are organized under six goals:

GoalRequirements
Build and Maintain a SecureNetwork
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
 Protect Cardholder Data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability
Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications.
Implement Strong Access
Control Measures
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test
Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information
Security Policy
12. Maintain a policy that addresses information security for
employees and contractors.

PCI Security Requirements in detail:
The chart above gives you a sense of the range of issues the standard covers. But this is just, in effect, a table of contents to the standard. The full standard goes into significant detail under each one.

Let's look at one example. Requirement #1 reads "Install and maintain a firewall configuration to protect cardholder data." You might think the fact that you have an industry standard firewall product installed gets you a pass on this one. But that is just the starting point. The requirements ask for:
More information on the full standard:
How can you find out the full extent of the PCI requirements? The PCI Security site is full of information about the standard and compliance testing. A good starting point is  "Navigating PCI-DSS", a fifty page introduction to the terms of the standard and the meaning and intent of each clause. It's the best thing to read if you want a complete explanation of the data security standard. 

The Full PCI_DSS specification can be downloaded from this page. And when you are ready, you can also find the self-assessment questionnaire here.

If you want to learn all there is to know about PCI, you can attend a two-day seminar given by the PCI Council. We took it and found it invaluable. 

Members Only Software Consulting Services
We've spent a lot of time, in class and on-line, developing an understanding of PCI-DSS. Call and engage us for consultation on you information security! Just send us an email to start the process!

 

Powered by Orchid Suites
Orchid ver. 4.7.6.