January 29th, 2010 | Posted by If you’ve tried to consolidate your merchant banking relationships recently, you’ll understand the importance of PCI-DSS, the Payment Card Industry Data Security Standard which regulates how businesses must handle customer credit card data to ensure the privacy of cardholders. Most banks are now charging higher rates to customers who don’t comply with PCI-DSS, and some are even refusing to do business with non-compliant organizations.
PCI-DSS is comprised of 12 discrete requirements, dictating how card processors handle everything from network security standards to data encryption:
- 1. Install and maintain a firewall configuration to protect cardholder data
- 2. Do not use vendor-supplied defaults for system passwords and other security parameters
- 3. Protect stored cardholder data
- 4. Encrypt transmission of cardholder data across open, public networks
- 5. Use and regularly update anti-virus software on all systems commonly affected by malware
- 6. Develop and maintain secure systems and applications
- 7. Restrict access to cardholder data by business need-to-know
- 8. Assign a unique ID to each person with computer access
- 9. Restrict physical access to cardholder data
- 10. Track and monitor all access to network resources and cardholder data
- 11. Regularly test security systems and processes
- 12. Maintain a policy that addresses information security
Compliance is assessed each year by card issuers and acquirers (think Visa, Mastercard, AMEX), with organizations who process large volumes of credit card transactions (more than 6 million transactions in any given year) subject to an annual on-site audit and quarterly network scans by an approved Qualified Security Assessor. Smaller businesses can self-certify via a Self-Assessment Questionnaire.
Penalties for non-compliance can be stiff, with fines of up to $500,000 and the financial and legal headache resulting from audits, legal action from leaked data – not to mention the embarrassing public relations issue which can arise if cardholder data is breached. Businesses who continue to fail compliance tests can lose their ability to process credit card transactions altogether.
What To Look For In A PCI-DSS Compliance Solution
A flexible compliance solution will be key to successful PCI-DSS compliance. If you’re already using a compliance tool for SOX, first examine whether or not it can be configured to manage PCI-DSS compliance efforts as well. Standalone PCI-DSS solutions will be rare. It’s interesting to note that PCI-DSS is enforced separately by issuing organizations – so even though the standard exists to streamline your compliance efforts, each organization may require slightly different sets of documentation. Your solution should include the ability to upload published PCI-DSS control libraries, allowing you to record any nuances by card issuer, and offer electronic delivery of all required documentation with the click of a button.
PCI-DSS, like so many other regulations, is here to stay. Strategic businesses will integrate compliance with the standard into a culture of compliance and, like SOX compliance, learn to leverage these discrete compliance checks within a broader process improvement initiative … helping them do things faster, better and smarter in the Office of Finance.
