What is PCI DSS?

It is called 'Payment Card Industry Data Security Standard' (PCI DSS), a set of industry-wide requirements and processes, which are supported by all international payment card systems. Created by Visa and MasterCard, and endorsed by Amex, Discover, Diners and JCB, the security of cardholder account data has become one of the biggest issues facing the Payment Card Industry.

Why was it set up?

The security of cardholder detail has become one of the biggest issues facing the payment card industry. Cases of cardholder data compromise have become a regular occurrence over the past few months. PCI DSS was therefore set-up to ensure that valuable cardholder account data is always secure.

Do I need to become compliant?

Yes. Any company that transmits, processes or stores credit card information needs to comply with the standards set by the Payment Card Industry. The requirements for becoming PCI DSS compliant are dependent upon the merchant level that a company falls under. Merchants are divided into four different levels based on the number of transactions they process throughout a year.

Does it apply to any type of media?

Please note that PCI DSS regulations apply to any type of media on which card data is held - this includes the obvious such as hard disk drives, floppy disks, but also embraces credit / debit card printed receipts where the full card number is printed. These receipts are held by merchants as a paper record of each card transaction and may be used for voucher recovery purposes, and also as evidence of the transaction should the acquirer issue a request for information (RFI). For these reasons, the card number must be held in full and consequently the receipts must be stored securely.

Retailers must also consider where else card details may be stored. For example, many EPOS systems take a copy of the card details (either swiped separately, or extracted from EFT receipt data) and store them unencrypted within their own databases for reconciliation and reporting purposes.

It is therefore not sufficient for a merchant to rely on the EFT software provider to fulfil PCI DSS compliance requirements - the entire system must be assessed and all areas of risk identified and closed off.

How can I establish which compliance level we fall into and what we must do?

Merchant levels.

Level 1 - Any merchant processing more than 6,000,000 Visa or Mastercard transactions per year. Any merchant that has suffered a compromise. Any merchant that Visa or Mastercard have identified as Level 1.

Must undergo an annual on-site audit with a Qualified Security Assessor (QSA) and a quarterly network security scan.

Level 2 - Any e-commerce merchant processing between 150,000 to 6,000,000 Visa or MasterCard transactions per year.

Must complete an annual self assessment questionnaire and a quarterly network security scan.

Level 3 - Any e-commerce merchant processing between 20,000 to 150,000 Visa or MasterCard transactions per year.

Must complete an annual self assessment questionnaire and a quarterly network security scan.

Level 4 - All other merchants

Recommended to complete an annual self assessment questionnaire and annual network security scan.

Service Provider Levels.

For gateways, call centres, mailing houses, payment processors.

Level 1 - All VisaNet processors, payment gateways and internet payment service providers regardless of transaction numbers.

Must undergo an annual on-site audit with a Qualified Security Assessor (QSA) and a quarterly network security scan.

Level 2 - Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa or MasterCard transactions annually

Must undergo an annual on-site audit with a qualified security assessor (QSA) and a quarterly network security scan.

Level 3 - Any service provider that is not in Level 1 and stores, processes, or transmits fewer than 1,000,000 Visa or Mastercard transactions annually

Must complete an annual self assessment questionnaire and a quarterly network security scan.

When do I need to be compliant by?

There have been a number of dates given for when merchants need to be compliant. The standard was introduced in 2004 and merchants given the target of June 2005 to become compliant. This date was subsequently extended to June 30^th of 2007 and current feeling is that it is unlikely to be extended again.

What must I do to become compliant?

The requirements are the same for all merchants irrespective of transaction volumes. The following gives you the broad outline. It should be pointed out that a number of the requirements will probably already be covered by a well run, security minded IT department.

There are 12 PCI DSS compliance requirements:

Build and maintain a secure network:

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data:

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program:

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Implement strong access control measures:

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Regularly monitor and test networks:

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Maintain an information security policy:

Requirement 12: Maintain a policy that addresses information security

What kind of network scan needs to be performed?

Vulnerability Assessment Scans must be performed by Payment Card Industry Qualified Security Assessors. The scan will be performed over all externally facing IP addresses that touch the credit card acceptance, transmission and storage process. Scans must be supplied to the merchant bank on a quarterly basis.

Do I still need to worry about PCI compliance if I use a managed service?

A popular misconception. Using a managed service like PSL Card certainly helps. Depending on the type of service you use there may be no cardholder data held within your organisation. However to be considered fully PCI compliant you must still go through the assessment process and ensure no other vulnerabilities exist. This will include seeking documentary evidence from the managed service provider that they are fully PCI compliant.

How long does it take to become compliant?

The PCI compliance process can be very quick depending on existing security measures already in place within the merchant. The amount of time it takes for a company to be considered PCI Compliant can also depend on the threats the PCI scan discovers, the time for remedial action and the amount of time it takes to complete the assessment questionnaire which involves producing documentary evidence to back up each section. It can take from 1 to 4 months plus.

How do I report compliance?

Both the results of the PCI network scan and annual self assessment questionnaire should be delivered to your merchant bank. Your merchant bank will then report back to the Payment Card Industry that your company is PCI compliant. Should you use an approved assessor they can report.

What happens if I am not compliant?

Failure to comply with the Payment Card Industry security standards may result in heavy fines, restrictions or permanent expulsion from card acceptance programs. We are informed that non-compliancy fines start at $50,000 for Visa. A breach is US $ 5.00 for each transaction compromised. The fines are discretionary; these would be the upper limits. Perhaps more damaging can be termination by your Bank plus adverse publicity-affecting brand.

Why didn’t anyone tell me about this?

PCI DSS is a relatively new program to the UK and Europe. Banks have communicated with the larger merchants but not necessarily all other merchants.

Is it worth risking delaying compliancy?

Validation is strongly recommended. If there is a compromise and you are not compliant, you may be assessed for fines.

Useful references:

1. List of Visa approved assessors:

http://www.visaeurope.com/documents/ais/qualified_security_assessors.pdf

2. Self assessment, to enable an organization to assess its requirements:

http://www.visaeurope.com/documents/ais/PCI_DSS_self-assessment_questionnaire.pdf

3. A compromise case study:

http://www.visaeurope.com/documents/ais/compromise_case_study_insert.pdf

Note.

This information is on a best endeavors basis and may not be wholly accurate. Various references have been provided for further information.