August 24, 2010
OPEN Forum Message
Test Your Business Skills
Take one or more of OPEN Forum's Crash Courses on topics like Leadership, Search Engine Marketing, Facebook and more.
Learn more
According to the most recent Unisys Security Index, a leading social indicator of how consumers feel about certain risks, financial fraud – especially the unauthorized use of credit and debit cards – remains one of the top concerns across the country.
Sixty two percent of adults are “seriously concerned” about the unauthorized use of their cards. Financial institutions and businesses, which lose billions of dollars to fraud every month, are continually fighting both amateur and sophisticated fraudsters.
The latest push to make credit card transactions safer is taking place right now.
What is the PCI?
The Payment Card Industry Security Standards Council (“PCI”) is an association formed in 2006 by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Its purpose is to develop, manage and raise awareness about security standards for ensuring that credit card information is kept safe. There are three standards: the Data Security Standard (“DSS”), the Payment Application Data Security Standard (“PA-DSS) and the Pin-Entry Device (“PED”) Requirement.
What is the Data Security Standard (“DSS”)?
The DSS is the security standard which every business owner that accepts credit cards needs to know and implement. The DSS consists of 12 requirements organized under six principles:
- Principle: Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Principle: Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Principle: Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software
- Requirement 6: Develop and maintain secure systems and applications
- Principle: Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data
- Principle: Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
- Principle: Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security
The complete DSS can be downloaded from the PCI website.
How does PCI DSS enforcement work?
These standards are provided by the PCI and are enforced by each of major credit card interchanges which I mention in my previous article on interchange fees. How you comply with them depends on whether you are a merchant, service provider or financial institution. You are a merchant if you take credit card payments from your customers.
Deadlines for compliance with the DSS have passed. If your company processes, stores or transmits credit card data and it is not compliant, your company could be exposed to increased fees, fines and even the cancellation of your ability to process credit cards. If a security breach occurs and credit card data is compromised, it could be a very expensive and embarrassing proposition.
So what do I need to do for my business?
Step one: Determine if you need to comply
Think carefully. Do you process, store or transmit credit card information? Think about your website, accounting software, customer relationship management system and more. Do you record sales calls where credit card data is accepted? Odds are you will need to comply. If you use a fully-hosted e-commerce solution, that company needs to be compliant. Check to see if they are on the list of validated payment applications.
Step two: Determine compliance requirements
The requirements for compliance vary depending on the scale and scope of your credit card transactions as well as the individual requirements of each interchanges. Examples of requirements include:
- Having a certified vendor conduct an onsite audit
- Having your network scanned using a certified auditing tool
- Self-certifying your compliance with DSS
- Conducting regular network scans; and more
For compliance requirements of the major interchanges see these resources:
Each interchange organizes merchants into tiers based on their card volume. If you are a small business, most likely you will fall into the lowest tier for each network. At that point, some of the more onerous requirements are “recommend” and the most expensive requirements, like on site audits, are not required.
Step three: Find a compliance vendor
In the unlikely event that an onsite audit will need to be completed, it must be done by a Qualified Security Assesor (“QSA”). A list of QSAs is available here. If you need to conduct a scan of your system, a list of Approved Scanning vendors is available here.
Changes coming this October
The PCI will make public the DSS 2.0 in October. It is largely expected that the changes will be incremental with a focus on clarifying the existing standards.
Compliance contact information
Use the following contact information for more information about compliance with each interchange:
Mike Periu is the founder of EcoFin Media, LLC an independent producer of financial, economic and entrepreneurial content for television, radio, print and the internet. Over the past ten years he has started three companies and advised over 50 companies on financial strategies including fundraising. Mike also hosts regular small business webinars on a range of topics relevant to business owners.
Check your balance, review recent transactions and pay your bill on the go.
