Payment Card Industry Data Security Standard (PCI DSS) - someone else's problem ?
View PDF | Print View
by: Hubert O'Donoghue
Total views: 70
Word Count: 769
Globally, it is evident that data compromises are becoming more widespread and entities which considered themselves too small for fraudsters to notice are now regrettably become victims of data theft. The notion that this was something that only happens to the TJ Maxx's of this world, can now be filed under “Myths of our time”
If huge corporations like TJ Maxx and Hannafords are struggling to protect transactional data from compromise with all the IT Security resources they have at their disposal how can small privately owned businesses be expected to do so ?
Since 2005, the Card Schemes (Visa. Mastercard, Amex, Diners and JCB) have laid out a mandatory standard called Payment Card Industry Data Security Standard or PCI DSS for short.
Let's try to deal with some of most common reactions from businesses who accept credit cards when they hear about PCI DSS.
Have not heard anything about it – its not my problem
It is very true that PCI DSS has received little or no publicity outside of the United States but compliance with the standard is mandatory for any entity (from a corner shop or small e commerce site, right up to a multinational merchant) which stores, processes or transmits card data to comply with the standard. IT MOST CERTAINTLY IS YOUR PROBLEM IF THE DATA IS DISCLOSED
So what if I don't comply ?
Mastercard and Visa have published schedules of fines for merchants who are non-compliant and a further set of penalties for merchants who experience a compromise of Credit Card Data. In summary, depending on merchant size, fines for non-conformity can start at €5000 and in the case of Visa can be levied on a monthly basis starting at €5000 per month and escalating to €25000 per month, if non-conformity persists.
Fines applying to merchants who are compromised for Mastercard start at $100,000 (or local curency equivalent) per incident, $25 (or local currency equivalent) per card number disclosed and the cost of the forensic investigation will also be levied.
For Visa, fines for merchants who are compromised start at €25,000 and can go as high as €750,000 depending on the number of card numbers disclosed. Additional fines may also be applied if merchants are found to be storing “sensitive authentication data” at the time of the compromise (card track data, CVV/CVC values or PIN numbers).
On top of the fines, if you experience a data compromise it is also possible that your bank will terminate your card acceptance.
Where do I start ?
Any business which handles, stores or processes card details needs to be aware that it must comply with the Payment Card Industry Data Security Standard (PCI DSS), regardless of the volumes of transactions it handles. The full standard is available for download through the following link
http://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
I have read the standard and I'm unclear how this applies to my business.
If you don't understand how to validate your compliance with the standard you can avail of a free validation requirements assessment tool at the following link:
http://www.o-cgroup.com/pci-merchants.shtml
This tool will help you identify what you have to do to validate compliance. For most merchants except those handling in excess of 6 million transactions per card scheme per annum this involves completing a self assessment questionnaire and where they have a web presence having a scan of their IP addresses at least quarterly.
It all seems so complicated and sounds costly.
The vast majority of smaller merchants can achieve compliance without incurring major cost. Many merchants can greatly simplify the measures necessary to achieve compliance by not storing card data at all once a transaction has been authorised.
When using service providers to deliver aspects of your commerce solution make sure you include a clause in the contract which requires that service provider to maintain compliance with the PCIDSS
Where do I start ?
All merchants have to complete a self assessment questionnaire and practically all merchants require to perform IP address scanning of their web environment.
Currently O-C Group are offering a FREE TRIAL scanning service and a consultation on the scan results. You can register for this at:
http://www.o-cgroup.com/freescan-offer.php
Article Source: http://www.ArticleStreet.com/
About the Author
Hubert O'Donoghue is globally acknowledge as an expert in all areas of the Payment Card Industry. He has owned and managed a large scale international Card Processing centre and now works with merchants, card issuers, acquirers and payment service providers advising them on all aspects of their payments strategy and payment security. For more information contact us through: http://www.o-cgroup.com/contactus.php or call us - + 353 1 4151205/7
Rating: Not yet rated