| As of September 30th 2007 all businesses handling | | | | merchant, the other service provider. Merchants are |
| cardholder (irrespective of size) data must be fully | | | | generally retail, higher education, healthcare, travel, |
| compliant with strict security measures imposed by the | | | | energy and finance businesses. The PCI DSS assigns |
| leading credit card companies. Credit card theft is the | | | | such business into one of four different levels each |
| most common form of identity theft (26%) as of 2006. | | | | with its own compliance process. |
| With over 1.3 billion credit cards in circulation as of | | | | Level 1: A merchant has had data compromised or |
| 2004, and over 33 billion dollars in balances on those | | | | more than 6 million transactions per year. Level 1 |
| cards, companies are finding their networks, and credit | | | | merchants must have annual onsite security audits, |
| card systems under attack by thieves. | | | | and scan networks quarterly. |
| In order to protect cardholder data from theft or fraud, | | | | Level 2: Merchants between 1 -6 million transactions |
| American Express, Visa, MasterCard, and Discover | | | | annually. Level 2 merchants must complete annual self |
| have developed what is known as PCI DSS ( | | | | assessments and quarterly network scans. |
| Payment Card Industry Data Security Standards) | | | | Level 3: Merchants with between 20,000 to 1 million |
| These standards involve 12 steps needed become | | | | transactions annually. Level 3 merchants must |
| compliant, or face fines of up to $500,000, plus legal | | | | complete annual self assessments and quarterly |
| expenses, and even losing the ability to accept credit | | | | network scans. |
| cards. | | | | Level 4: All other merchants. Level 4 merchants must |
| These twelve steps are: | | | | complete annual self assessments and quarterly |
| 1. Install and maintain a firewall to protect cardholder | | | | network scans. |
| data | | | | Service providers are those businesses that generally |
| 2. Do not use vendor supplied defaults for passwords | | | | are in the payment gateway, host e-commerce sites, |
| or other security parameters | | | | credit reporting agencies, paper shredding businesses. |
| 3. Protect stored cardholder data | | | | They fall into one of three different levels. |
| 4. Encrypt cardholder data across public networks (I.E. | | | | Level 1: All processors and payment gateways must |
| The Internet) | | | | have annual PCI DSS Security Assessments and |
| 5. Use and regularly update antivirus software | | | | quarterly network scans. |
| 6. Develop and maintain secure systems and | | | | Level 2: Any service provider that is not level 1 and |
| applications | | | | processes more than 1 million transactions, must have |
| 7. Assign a unique ID for each computer user | | | | annual PCI DSS Security Assessments and quarterly |
| 8. Restrict data access on cardholder data to a need | | | | network scans. |
| to know basis | | | | Level 3: Any service provider that is not level 1 and |
| 9. Restrict physical access to cardholder data | | | | processes fewer than 1 million transactions, must |
| 10. Track and monitor all access to network data | | | | complete annual self assessment and quarterly |
| 11. Regularly test security systems and processes | | | | network scans. |
| 12. Maintain a policy for information security for | | | | What are the consequences of not complying? |
| employees and contractors | | | | Card companies may impose fines on their member |
| Compliance with PCI DSS, can be divided in to 3 main | | | | banking institutions when merchants are found to be |
| stages, | | | | non-compliant with PCI DSS. Acquiring banks may in |
| Collecting and storing: Secure collection and | | | | turn contractually oblige merchants to indemnify and |
| tamper-proof storage of all log data so that it is | | | | reimburse them for such fines. Fines could go up to |
| available for analysis. | | | | $500,000 per incident if data is compromised and |
| Reporting: Being able to prove compliance on the spot | | | | merchants are found to be non-compliant. In the worst |
| if audited and present evidence that controls are in | | | | case scenario, merchants could also risk losing the |
| place for protecting data. | | | | ability to process customers' credit card transactions. |
| Monitoring and alerting: Have systems in place such as | | | | Businesses from which cardholder data has been |
| auto-alerting, to help administrators constantly monitor | | | | compromised are obliged to notify legal authorities and |
| access and usage of data. Administrators are warned | | | | are expected to offer free credit-protection services |
| of problems immediately and can rapidly address them. | | | | to those potentially affected. |
| These systems should also extend to the log data | | | | There may be other consequences besides the fines. |
| itself - there must be proof that log data is being | | | | Cardholder data loss, whether accidental or through |
| collected and stored. | | | | theft, may also lead to legal action being taken by |
| Businesses that accept, or process or disposes of | | | | cardholders. Such a step will result in bad publicity, |
| credit card information are divided into two groups for | | | | which may in turn lead to loss of business. |
| PCI DSS purposes. The first group is defined as | | | | |