Your PCI DSS Compliance Requirements

What is PCI DSS Compliance?

“PCI DSS” stands for Payment Card Industry (PCI) Data Security Standard (DSS). It was developed by the major credit card companies in 2004 as a guideline to help organizations that process card payments prevent credit card fraud, hacking, and various other types of card security breaches. A company processing, storing, or transmitting card numbers must be PCI DSS compliant or they risk losing the ability to process credit card payments.

Merchants and Service Providers must validate PCI compliance with an audit by a PCI DSS Qualified Assessor Company. Each merchant must complete the annual Self-Assessment Questionnaire (SAQ) and submit to quarterly system penetration scanning depending on the type of equipment they use to process credit cards.

Who has to comply?

The credit card companies have made it clear that ANY entity that stores, processes, or transmits cardholder data regardless of their transaction volume, are required to comply with the PCI requirements. Failure to comply with the PCI security standard may result in substantial fines or permanent expulsion from card acceptance programs. Recent studies on financial fraud have indicated that hackers are increasingly targeting small, commercial Web sites, increasing the need for all merchants and service providers to become fully compliant with the Payment Card Industry (PCI) Data Security Standard (DSS).

What if I don’t comply?

These new card data security standards come with serious consequences. Failure to comply with PCI-DSS requirements can result in stiff contractual penalties or sanctions from members of the payment card industry. These include:

• Fines of $500,000 per data security incident
• Fines of $50,000 per day for non-compliance with published standards
• Liability for all fraud losses incurred from compromised account numbers
• Liability for the cost of re-issuing cards associated with the compromise
• Suspension of merchant accounts

Non compliance is simply not worth the risk. It only takes one incident of data compromise to potentially put you out of business. The fines and penalties alone of a data breech are generally more than a merchant can financially bear and the business fails because of it. If the merchant looses their merchant account altogether, business failure is imminent because retail simply cannot exist without the ability to accept credit and debit cards.

How do I comply?

The yearly Self-Assessment Questionnaire (SAQ) that you must submit to your processor consists of 75 questions that address 12 security requirements and all questions must be honestly answered YES, even the questions that seem to have no bearing on a particular merchant. To comply with PCI DSS, you must have a series of written security policies, procedures, employee handouts, and training aids all related to the secure handling and processing of credit card data. You must also ENFORCE those policies and procedures in your organization and prove that you do so with proper logging and security trails.

What happens if I am breached?

Currently 38 states have enacted some sort of breach disclosure law. In general, most state laws follow the basic tenets of California's original law which was enacted in 2002. Companies who are breached must immediately disclose the data breach to customers, usually in writing. Companies must also notify their processor who will then notify the bank. At that point the processor or bank will initiate a PCI DSS audit on the merchant to see if the merchant was in fact PCI DSS compliant at the time of the breach. Failure of the merchant to disclose a known breach would create the appearance that the merchant is involved in the breach. This situation would put the merchant in a possible criminal defense position by not disclosing or hiding the breach.

If the PCI DSS audit concludes that the merchant was fully compliant at the time of the breach then the merchant has a reasonable defense and has shown proper diligence in their card acceptance procedures. If the audit shows that the merchant was not actually in compliance at the time of the breach, despite having previously submitted their compliance SAQ, the merchant is then subject to very large fines, penalties, and actual damages as well as the possibility of losing their card acceptance privileges permanently. It would be very difficult if not impossible for a breached merchant to survive the financial burden of the breach let alone be able to survive as a business without their merchant account.

At present, there are no known cases of a fully PCI DSS compliant merchant actually being breached.

What do I do if I am compromised?

Visa publishes a 23 page document discussing this issue called Visa Fraud Investigations and Incident Management Procedures.

What are the security requirements of PCI DSS?

There are 12 Requirements of the PCI DSS Standard organized into 6 logically related groups, which are called, “control objectives.” They are as follows:

• Build and Maintain A Secure Network
  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect Cardholder Data
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
• Maintain a Vulnerability Management Program
  • Requirement 5: Use and regularly update antivirus software
  • Requirement 6: Develop and maintain secure systems and applications
• Implement Strong Access Control Measures
  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to data
• Regularly Monitor and Test Networks
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
• Maintain an Information Security Policy
  • Requirement 12: Maintain a policy that addresses information security

Merchants cannot rely on their bank, processors or vendors to make them compliant or even inform them of their responsibility. Merchants alone are responsible for their own compliance.

This Payment Card Industry Data Security Standard (PCI DSS) applies to every organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data. PCI Compliance is not optional and the penalties are high should your organization be breached or if your non-compliance becomes known. Non-compliance puts your entire organization and your business at risk.

MCPS provides consulting and support along with a "PCI Toolkit" that guides you through the process of certification and keeps you safe.

For more Information
http://usa.visa.com/merchants/risk_management/cisp_merchants.html

For more information from the Better Business Bureau
“Security & Privacy Made Simpler”
http://us.bbb.org/WWWRoot/storage/16/documents/SecurityPrivacyMadeSimpler.