Core Requirements Of Pci Data Security Standards
Cardholder data theft has become an issue all merchants must face. As a result of several high profile incidents over the past few years (i.e., Card Systems & TJX), the Card Associations (Visa, MasterCard, American Express, Discover) were forced to devise data security standards for merchants that process transactions through their networks. The PCI Data Security Standards (PCI DSS for short) were promulgated in September 2006 and represent a combined effort of all the major card brands, like Visa, Mastercard, & American Express, to provide uniform data security standards and requirements. PCI DSS affects any merchant that stores, processes, or transmits cardholder data. That means ALL merchants are affected.
So how do you comply? The first step is to develop written policies, procedures and protocols that address the 12 core requirements of PCI DSS and then validate your compliance based on the merchant category you are in.
The 12 core requirements of PCI DSS are:
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security passwords
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes, AND
12. Maintain a policy that addresses information security
Some of these requirements will need to be provided to you by your web hosting company and others will need to be provided by your shopping cart vendor.
You may already be fulfilling many of the core requirements such as changing the default password of the shopping cart once it was installed and purchasing an SSL certificate from a company like Comodo to help encrypt data between the browser and the server.
If you experience a data breach and are found not to be in compliance you could be subject to fines up to $500,000 per incident from the card associations.
Russ Gottlich, CPA is President of FDIS Loud ( http://www.fdisloud.com ), an independent agent office of First Data Independent Sales (FDIS), a leading provider of payment processing services and tools for Internet and retail merchants worldwide. Russ presented “Best Practices in Electronic Payment Processing” at HostingCon2007.
Tags: Card, Data, Data Security, Master Card, Payment, PCI, Security, Theft, Visa
