PCI DSS (Payment Card Industry Data Security Standards) is now at the forefront of the electronic payments industry. The proliferation of fraud and risk associated with credit card processing makes these standards to secure cardholder data that is stored, processed or transmitted by merchants and processors an absolute necessity.
PCI DSS is not an option - no matter what size merchant you are. While the standards are not law - they are being developed by the PCI Data Security Council, an entity founded by American Express, MasterCard, VISA, DISCOVER and JCB International. Merchants found not to be in compliance with these standards could end up paying hefty fines or worse, lose the privilege of card processing.
PCI DSS differentiates compliance requirements based primarily on a merchants annual number of card transactions. Most XBS merchants fall into the level 4 category - see below:
- Level 1 - Merchants from whom cardholder data has been compromised and/or merchants with more than 6 million transactions annually across all channels - including e-commerce.
- Level 2 - Merchants with between 1 and 6 million credit card transactions annually.
- Level 3 - Merchants with between 20,000 and 1 million credit card transactions annually.
- Level 4 - ALL other merchants.
Compliance for each merchant level:
- Level 1 - Annual onsite PCI data security assessment and quarterly network scans
- Level 2 - Annual self-assessment and quarterly network scans
- Level 3 - Annual self-assessment and quarterly network scans
- Level 4 - Annual self-assessment and annual network scans
PCI DSS is built around a core group of principles and their requirements for all merchants to follow, a number of which represent best business practices for all business and may hopefully, already be in place. They are -
Build and Maintain a Secure Network.
Requirement 1 - Install and maintain a firewall configuration to protect cardholder data.
Requirement 2- Do not use vendor supplied defaults for system passwords and other security parameters
Protect Cardholder Data.
Requirement 3 - Protect stored cardholder data
Requirement 4 - Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program.
Requirement 5 - Use and regularly update anti-virus software.
Requirement 6 - Develop and maintain secure systems and applications
Implement Strong Access Control Measures.
Requirement 7 - Restrict access to cardholder data by business need to know.
Requirement 8 - Assign a unique ID to each person with computer access
Requirement 9 - Restrict physical access to cardholder data
Regularly Monitor and Test Networks.
Requirement 10- Track and monitor all access to network resources and cardholder data
Requirement 11- Regularly test security systems and processes.
Maintain an Information Security Policy.
Requirement 12: Maintain a policy that addresses information security.