While new research shows that small business owners are aware of Payment Card Industry Data Security Standards (PCI DSS), the fact that the standards are difficult to understand remains a huge hurdle to compliance, reports the National Retail Federation.
To help clarify some of the complexities, SearchCompliance, a free online resource for IT professionals, provides answers to frequently asked questions about PCI DSS. Here are just a few from its website; to read the details visit http://searchcompliance.techtarget.com/generic/0,295582,sid195_gci1364187,00.html.
What is PCI DSS?
It’s a global standard designed to help merchants protect customer account data – namely credit card numbers – from fraud. It spells out policies and procedures to improve the security of account data including management, software design and network architecture. PCI DSS was developed by MasterCard Worldwide, Visa, American Express, Discover Financial Services and JCB International and released in December 2004. The PCI Security Standards Council ensures that merchants deploy at least minimum security requirements. The standard has evolved since its inception and will continue to do so to account for emerging security risks. Critics point out that PCI compliance does not ensure security in a network environment or prevent data breaches. Advocates say that without PCI DSS and other standards, fewer companies would take IT security as seriously as they should.
What are some of the requirements?
PCI contains six general principles that deal with security network components that support – or come in contact with – cardholders’ data transactions.
1. Build and maintain a secure network.
2. Protect cardholder data.
3. Maintain a vulnerability management program.
4. Implement strong access control measures.
5. Regularly monitor and test networks.
6. Maintain an information security policy.
The PCI Security Standards Council offers more detailed guidelines on the aim of each requirement in a document entitled, “Navigating PCI DSS: Understanding the Intent of the Requirements.”
Who is affected by PCI DSS?
Any organization that processes, stores or transmits credit card numbers is subject to PCI DSS requirements. Credit card numbers are known in the payment industry as “primary account numbers” (PANs). This applies to organizations that store PANs in paper form as well as electronic form.
As the PCI DSS Council explains, if an organization stores only truncated PANs and does not process or transmit full PANs, it is not subject to PCI DSS. In this context, a truncated PAN means a maximum of the first six and last four digits. There is, however, an exception for Requirement 12.8, which, the council’s guidance document explains has to do with merchants sharing cardholder data with service providers.
What are the penalties for noncompliance?
Just as each of the credit card companies has established it own compliance validation mandates, each company administers its own penalties for noncompliance. Neither the PCI Security Standards Council nor the card companies have published a comprehensive roster of potential penalties. In recent years, however, VISA publicized the size of the fines that would be imposed for noncompliance by large and midsize merchants – $25,000 and $5,000 respectively. Penalizing entities is accomplished by a credit card company fining the noncompliant merchant bank, which, in turn, charges the merchant.
The case of discount retailer TJX Companies Inc., which includes U.S. stores T.J. Maxx, Marshalls, HomeGoods and A.J. Wright, illustrates the hefty price of noncompliance in light of a data breach. TJX disclosed a breach in early 2007, which resulted in more than 100 million cards potentially being exposed to fraud. The company settled a lawsuit brought by Visa for approximately $41 million, and a separate suit brought by MasterCard for $24 million. Prior to settling those cases, TJX estimated that it had already incurred $256 million in costs related to the breach, including investigations, legal expenses and dealing with the computer system’s vulnerabilities. |
