| Despite increasingly heightened security by merchants | | | | Corporations that require PCI DSS compliance are |
| and service providers, credit and debit card fraud is still | | | | prevented from storing sensitive credit card |
| on the rise. Perpetrators are using even more | | | | information, including security codes, track data from |
| sophisticated methods of infiltration to access sensitive | | | | the magnetic strip, and PIN numbers. Information which |
| payment card information. The financial cost of fraud | | | | can be stored includes credit card numbers, expiration |
| to any sized corporation can be huge and the price of | | | | dates and customer details, but the method of storage |
| preventing it is vast. | | | | needs to meet certain requirements. |
| Any company which stores, processes or transmits | | | | How to obtain PCI DSS compliance |
| payment card data bearing the logo of the five major | | | | The recommended first step to obtaining compliance is |
| payment companies has to comply with the Payment | | | | to hire the services of a Quality Security Assessor, |
| Card Industry Data Security Standards (PCI DSS). | | | | who can advise on steps needed to reach compliance |
| These five companies include American Express, | | | | as well as completing the official assessments |
| Discover, JCB, MasterCard and Visa. These standards | | | | required. Smaller companies that process less than |
| were devised in 2004 to provide a common set of | | | | 80,000 transactions per year are permitted to |
| industry tools for the storage of payment card data in | | | | complete a self-assessment questionnaire. |
| order to prevent, detect, and react to security incidents. | | | | Compliance covers 6 areas of security: |
| As well as merchants or banking institutions, | | | | 1. Construction and maintenance of a secure network - |
| compliance is required by any third party who accepts | | | | including installation of a firewall to protect cardholder |
| or processes payment cards. This includes call centres | | | | data |
| who receive cardholder data which they are unable to | | | | 2. Protection of cardholder data - including encryption |
| delete. If merchants use payment gateways to | | | | during data transmission |
| process transactions on their behalf, compliance is not | | | | 3. Vulnerability management - with regular updates of |
| required but they must ensure contractual obligation | | | | anti-virus software |
| from the third party that they comply with PCI DSS | | | | 4. Access control - to prevent and restrict access to |
| and are responsible for the security of cardholder data. | | | | sensitive data |
| Fines for non-compliance or security breaches can be | | | | 5. Regular monitoring and testing of networks |
| huge, reaching $500,000. High profile cases involving | | | | 6. Maintenance of an information security policy |
| huge corporations have hit the headlines. Some card | | | | The latest updated guidelines for PCI DSS are due for |
| brands have threatened huge fines against larger | | | | release in October 2008. |
| merchants of up to $25,000 per month until compliance | | | | The benefits of PCI DSS complianceo Protection from |
| is obtained. In severe cases, they have even | | | | PCI related fines if compliant at the time of breacho |
| threatened to remove the ability to process credit card | | | | Increased customer confidence in data protectiono |
| payments, which could be economically fatal for any | | | | Advice on how to remediate any data security riskso |
| merchant. | | | | Advice on how to prevent service providers from |
| While Visa reports that the majority of security | | | | putting your business at risk from data securityo |
| breaches occur in small enterprises, any company that | | | | Increased protection from fraudsterso Protection from |
| stores, processes, or transmits card information has to | | | | unwanted negative media attention |
| comply with a strict set of guidelines. Although intended | | | | With this said, there is no question as to why PCI |
| to create a global standard which protects both | | | | compliant is as important as it is. It both protects the |
| consumers and corporations alike, these guidelines can | | | | consumer and the merchant, making transactions |
| be time consuming, costly, and complex to implement. | | | | considerably safer than they would be otherwise. |