Are You PCI Compliant?

According to the most recent Unisys Security Index, a leading social indicator of how consumers feel about certain risks, financial fraud – especially the unauthorized use of credit and debit cards – remains one of the top concerns across the country.  

Sixty two percent of adults are “seriously concerned” about the unauthorized use of their cards. Financial institutions and businesses, which lose billions of dollars to fraud every month, are continually fighting both amateur and sophisticated fraudsters. 

The latest push to make credit card transactions safer is taking place right now. 

What is the PCI?

The Payment Card Industry Security Standards Council (“PCI”) is an association formed in 2006 by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.  Its purpose is to develop, manage and raise awareness about security standards for ensuring that credit card information is kept safe.  There are three standards:  the Data Security Standard (“DSS”), the Payment Application Data Security Standard (“PA-DSS) and the Pin-Entry Device (“PED”) Requirement. 

What is the Data Security Standard (“DSS”)?

The DSS is the security standard which every business owner that accepts credit cards needs to know and implement.  The DSS consists of 12 requirements organized under six principles:

• Principle: Build and Maintain a Secure Network
  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

• Principle: Protect Cardholder Data
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks

• Principle: Maintain a Vulnerability Management Program
  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications

• Principle: Implement Strong Access Control Measures
  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data 

• Principle: Regularly Monitor and Test Networks
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes

• Principle: Maintain an Information Security Policy
  • Requirement 12: Maintain a policy that addresses information security 

The complete DSS can be downloaded from the PCI website. 

How does PCI DSS enforcement work?

These standards are provided by the PCI and are enforced by each of major credit card interchanges which I mention in my previous article on interchange fees.  How you comply with them depends on whether you are a merchant, service provider or financial institution.  You are a merchant if you take credit card payments from your customers.

Deadlines for compliance with the DSS have passed.  If your company processes, stores or transmits credit card data and it is not compliant, your company could be exposed to increased fees, fines and even the cancellation of your ability to process credit cards.  If a security breach occurs and credit card data is compromised, it could be a very expensive and embarrassing proposition.

Step one: Determine if you need to comply

Think carefully. Do you process, store or transmit credit card information? Think about your website, accounting software, customer relationship management system and more. Do you record sales calls where credit card data is accepted? Odds are you will need to comply.  If you use a fully-hosted e-commerce solution, that company needs to be compliant. Check to see if they are on the list of validated payment applications.  

Step two: Determine compliance requirements

The requirements for compliance vary depending on the scale and scope of your credit card transactions as well as the individual requirements of each interchanges. Examples of requirements include:

• Having a certified vendor conduct an onsite audit
• Having your network scanned using a certified auditing tool
• Self-certifying your compliance with DSS
• Conducting regular network scans; and more

For compliance requirements of the major interchanges see these resources:

• American Express compliance
• Discover compliance
• MasterCard compliance (See both the levels and requirements sections)
• Visa compliance

Step three: Find a compliance vendor

In the unlikely event that an onsite audit will need to be completed, it must be done by a Qualified Security Assesor (“QSA”).  A list of QSAs is available here.  If you need to conduct a scan of your system, a list of Approved Scanning vendors is available here.

Changes coming this October

The PCI will make public the DSS 2.0 in October.  It is largely expected that the changes will be incremental with a focus on clarifying the existing standards.

Compliance contact information

Use the following contact information for more information about compliance with each interchange:

• American Express compliance website and email
• Discover compliance website and email
• JCP – TBD compliance website and email
• MasterCard compliance website and email
• Visa compliance website and email