Your PCI DSS Compliance Requirements What is PCI DSS Compliance? “PCI DSS” stands for Payment Card Industry (PCI) Data Security Standard (DSS). It was developed by the major credit card companies (VISA, Mastercard, Discover, American Express and JCB) in 2004 as a guideline to help organizations that process card payments prevent credit card fraud, hacking, and various other types of card security breaches. A company processing, storing, or transmitting card numbers must be PCI DSS compliant or they risk losing the ability to process credit card payments. Merchants and Service Providers who process over 6M Visa transactions per year are required to have an on-site audit by a Qualified Security Assessor (QSA). This only represents a small percentage of merchants accepting credit cards. All other merchants are required to complete an annual Self-Assessment Questionnaire (SAQ) and may be required to submit a compliant vulnerability scan on a quarterly basis. Who has to comply? The credit card companies have made it clear that ANY entity that stores, processes, or transmits cardholder data regardless of their transaction volume, are required to comply with the PCI requirements. Failure to comply with the PCI security standard may result in substantial fines or permanent expulsion from card acceptance programs. Recent studies on financial fraud have indicated that hackers are increasingly targeting small, commercial Web sites, increasing the need for all merchants and service providers to become fully compliant with the Payment Card Industry (PCI) Data Security Standard (DSS). What if I don’t comply? These payment card data security standards come with serious consequences. Failure to comply with PCI-DSS requirements can result in stiff penalties if your business suffers a data compromise. These include: Fines of up to $500,000 per data security incident Liability for all fraud losses incurred from compromised account numbers Liability for the cost of re-issuing cards associated with the compromise Suspension of merchant accounts Non compliance is simply not worth the risk. It only takes one incident of data compromise to potentially put you out of business. The fines and penalties alone of a data breach are generally more than a merchant can financially bear and the business fails because of it. If the merchant looses their merchant account altogether, business failure is imminent because retail simply cannot exist without the ability to accept credit and debit cards. How do I comply? A completed Self-Assessment Questionnaire (SAQ) is required annually. There are four different Validation Types and you will choose the SAQ Validation Type based on the way you process credit cards. The number of questions you are required to complete will vary depending on the SAQ form – anywhere from 11-226 questions. Once the applicable SAQ is completed and you have met all requirements, including written security policies, procedures, employee handouts and training aids related to the secure handling and processing of credit card data, you will be able to access your Attestation of Compliance. Some merchants require a vulnerability scan depending on their SAQ type and the way they handle, process and/or store credit card data. If a scan is required, you will need to submit a passing scan on a quarterly basis in addition to the annual SAQ completion. What happens if I am breached? Currently 44 states have enacted some sort of breach disclosure law. In general, most state laws follow the basic tenets of California's original law which was enacted in 2002. Companies who are breached typically have to immediately disclose the compromise to affected customers, usually in writing. Companies must also notify their processor who will then notify the bank. At that point the payment brand, processor or bank may initiate a forensic audit on the merchant to see if the merchant was in fact PCI DSS compliant at the time of the breach. Failure of the merchant to disclose a known breach would create the appearance that the merchant is involved in the breach. This situation could put the merchant in a possible criminal defense position by not disclosing or hiding the breach. If the forensic audit concludes that the merchant was fully compliant at the time of the breach then the merchant has a reasonable defense and has shown proper diligence in their card acceptance procedures. If the audit shows that the merchant was not actually in compliance at the time of the breach, despite having previously submitted their compliance validation documentation, the merchant is then subject to large fines, penalties, and actual damages as well as the possibility of losing their card acceptance privileges. It would be challenging for a breached merchant to survive the financial burden and reputation damage resulting from a breach let alone be able to survive as a business without their merchant account. What do I do if I am compromised? Visa publishes a 23 page document discussing this issue called Visa Fraud Investigations and Incident Management Procedures. What are the security requirements of PCI DSS? There are 12 Requirements of the PCI DSS Standard organized into 6 logically related groups, which are called, “control objectives.” They are as follows: Build and Maintain A Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update antivirus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security Merchants cannot rely on their bank, processors or vendors to make them compliant or even inform them of their responsibility. Merchants alone are responsible for their own compliance. This Payment Card Industry Data Security Standard (PCI DSS) applies to every organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data. PCI Compliance is not optional and the penalties are high should your organization be breached or if your non-compliance becomes known to VISA. Non-compliance puts your entire organization and your business at risk. For more Information from Visa: http://usa.visa.com/merchants/risk_management/cisp_merchants.html For more information from the Better Business Bureau “Security & Privacy Made Simpler” - Click here What you better know! 2007 Annual Study: Cost of a Data Breach" says that data breach incidents cost U.S. companies US $197 per compromised customer record in 2007, compared to US $182 in 2006.   Average total per-incident costs in 2007 were US $6.3 million, up from US $4.8 million in 2006. The total cost of lost business increased by 30 percent to an average of US $4.1 million in 2007, around two-thirds of the average total cost per incident.   Breaches by third-party organizations such as outsourcers, contractors, employees, and business partners were reported by 40 percent of respondents, up from 29 percent in 2006.   The problem affects older POS PED’s which are not tamper-evident or tamper-resistant. Supplied by manufacturers such as VeriFone, Ingenico and Hypercom.   Migration of the PED Security Requirements and the corresponding evaluation program from JCB, MasterCard, and Visa to PCI SSC is in progress. The effective date of the PCI SSC PED Security Requirements will be July 2007.   Approvals for new deployments of pre-PCI approved POS PED’s are set to expire as of December 31, 2007. Is there a sunset date by which these devices must be removed from deployment?   Visa has set the deadline of 2010 for merchants to comply with the standard and remove older PED’s. Electronic Commerce International • 7670 W. Lake Mead Blvd, Suite 140, Las Vegas, NV 89128 Toll Free (888) 404-7500 • Email: sales@ecina.com • Sales Partner Login www.ecina.net ECI is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA. American Express requires separate approval. © Copyright 2009. Electronic Commerce International. All Rights Reserved.