Winning the PCI Compliance Battle
The Payment Card Industry Locks Down Customer Data
The last several years have seen an unprecedented assault on personal and
financial data that customers have knowingly or unwittingly entrusted to retailers,
banks, service providers and credit card companies. Bank of America, BJ’s
Wholesale Club, CardSystems Solutions, Choicepoint, Citigroup, DSW Show
Warehouse, Hotels.com, LexisNexis, Polo Ralph Lauren and Wachovia are just
a few of the names that have been boldly exposed in the media and pummeled
in the financial markets after major data security breaches were revealed.
Credit card data in particular has been compromised so frequently that calls for
government intervention and regulation became widespread.
Taking another approach, the payment card industry countered the
criminal onslaught with a homegrown security initiative that is at once broader
in scope and more granular in its requirements than any measures additional
government regulation might have imposed. The Payment Card Industry Data
Security Standard is a comprehensive security standard that establishes
common processes and precautions for handling, processing, storing and
transmitting credit card data.
PCI, as it is almost universally known, was originally developed by
MasterCard and Visa through an alignment of security requirements contained
in the MasterCard Site Data Protection Plan (SDP) and two Visa programs,
the Cardholder Information Security Plan (CISP) and the international Account
Information Security (AIS). In September of 2006, a group of five leading
payment brands including American Express, Discover Financial Services,
JCB, MasterCard Worldwide and Visa International jointly announced formation
of the PCI Security Standards Council, an independent council established to
manage ongoing evolution of the PCI standard. The current version of PCI DSS
is 2.0. The Council updates the standard every three years and issues new
guidance as needed
Participation and Validation Requirements
The PCI Security Standards Council manages the underlying Data Security
Standard and compliance requirements are set independently by individual
card brands. While requirements vary between card networks, MasterCard’s
Site Data Protection Plan and Visa’s Cardholder Information Security Program
are representative. They stipulate separate compliance validation requirements
for merchants and service providers, which vary depending on the size of the
company. Compliance levels are defined based on annual transaction volume
Annual on-site security audits – MasterCard and Visa require the largest
merchants (level 1) and service providers (levels 1 and 2) to have a yearly
on-site compliance assessment performed by a certified third-party auditor.
Annual self-assessment questionnaire – In lieu of an on-site audit, smaller
merchants (levels 2, 3 and 4) and service providers (level 3) are required to
complete a self-assessment questionnaire to document their security status.
Quarterly external network scans – All merchants and service providers are
required to have external network security scans performed quarterly by a
certified third-party vendor. Scan requirements are rigorous: all 65,535 ports
must be scanned, all vulnerabilities detected at a “High” severity level must be
remediated, and two reports must be issued—a technical report that details
all vulnerabilities detected with solutions for remediation, and an executive
summary report with a PCI approved compliance statement suitable for
submission to acquiring banks for validation.
While non-compliance penalties also vary among major credit card networks,
they can be substantial. Participating companies can be barred from processing
credit card transactions, higher processing fees can be applied; and in the event
of a serious security breach, fines of up to $500,000 can be levied for each
instance of non-compliance.
Since compliance validation requirements and enforcement measures
are subject to change, merchants and service providers should closely monitor
the requirements of all card networks in which they participate.
Selecting a PCI Network Security Testing Service
At first exposure, PCI compliance and validation requirements can appear
daunting, particularly the external scan requirement. Merchants can simplify
the selection process by establishing a few key selection criteria.
Three important things to look for in a PCI network scanning service are:
Accuracy – It’s extremely important that a testing service be able to
accurately identify real vulnerabilities and not generate a large inventory
of false positives, each of which must be manually evaluated for
remediation. False positives (and false negatives) can significantly
and unnecessarily inflate the workloads and labor costs of maintaining
Efficient vulnerability remediation process – The service provider
must offer tested and documented remediation processes for all identified
vulnerabilities, and provide expert technical support assistance.
Automated report preparation and on-line filing – Automatic
report preparation and electronic filing greatly simplify compliance
administration and reduces the attendant workload.
Article by IThound