What is PCI-DSS?
The Payment Card Industry Data Security Standard (PCI-DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card. The PCI-DSS was created by an independent counsel (Payment Card Industry Security Standards Council) originally formed of: Visa International, MasterCard Worldwide, Discover Financial Services, American Express and JCB in 2006, with the goal of managing the evolution of PCI-DSS. It was created in response to a growing number of security breaches in the payment card industry over the last few years.
In a nutshell it is comprehensive list of security standards that establish a process for handling, processing, storing and transmitting credit card data.
PCI-DSS has 12 Core requirements and approximately 250 controls that basically come down to the following 3 items.
1) All merchants must achieve and maintain compliance at all times, regardless of what data is stored. All deadlines have now passed.
2) Certain information cannot be stored, such as CVV2, CVC2 , CID, Magnetic Strip Data or PIN Data.
3) If a cardholder’s personal data such as Name, Credit Card Number, Expiration Date or Service Code is stored (all considered permitted data) there are certain security standards you must comply with.
PCI-DSS Core Requirements
1) Install and maintain a firewall to protect all data.
2) Remove vendor defaults for system passwords.
3) Protect data at rest (stored data).
4) Encrypt the transmission of cardholder data and other sensitive information while it is in transit across public networks.
5) Use anti-virus software and keep definitions and software updated.
6) Develop secure systems and applications.
7) Restrict access to cardholder data to individuals that have a need to know.
8) Assign unique ID’s to each user with computer access.
9) Restrict physical access to areas that contain systems that store cardholder data.
10) Track and monitor all access to all network resources and cardholder data.
11) On a regular basis, test security systems and processes.
12) Maintain a policy that specifically addresses information security.
There are different requirements for business whether they are large or small. Determination of the size of your business is by the number of annual credit card transactions.
Level 1 Merchants process more than 6 million transactions annually including e-commerce and are required to have an on-site PCI Data Security Assessment and quarterly network scans. On-site assessments may be completed internally or by an outside qualified security assessor.
Level 2 Merchants process 1 million to 5,999,999 transactions annually and are required to complete a Self-Assessment and perform quarterly network scans.
Level 3 Merchants process 20,000 to 1,000,000 e-commerce transactions annually and are required to complete a Self-Assessment and perform quarterly network scans.
Level 4 Merchants process less than 20,000 e-commerce transactions annually and all merchants across channel up to 1,000,000 VISA transactions annually and are required to complete an annual self assessment and annual security scans.
Network vulnerability scans are required of all outward facing IP addresses. The self assessment questionnaire mitigates risk from inside the firewall and the scan identifies and mitigates risk from the outside.
Is PCI-DSS Compliance Required by Law?
46 states, the District of Columbia, Puerto Rico and the Virgin Islands have legislation that requires disclosure of data breaches.
Unlike security laws, the PCI Standards are not statutes or regulations enforced directly by the government. PCI rules are imposed and typically enforced contractually through the PCI Contract Chain. The contracts in the contract chain can include indemnification requirements, fines and penalties as well as duties to adhere to specific operating rules related to payment card transactions.
That being said, there is a push to legislatures and industry trade associations to enact a federal law around data security and breach notification. Currently outside of that there are several states that have enacted PCI related laws. Minnesota has the Plastic Card Security Act which opens companies up private lawsuits (does not affect Level 4 merchants). Nevada has the Security of Personal Information Law and the Nevada Senate Bill 227 in which SB 227 Amendment specifically states a requirement to comply with the PCI-DSS. Washington State has a PCI law HB 1149 which amends Washington’s breach notice law. Massachusetts is introducing 201 CMR 17.00 which pulled in important concepts of PCI DSS and does not exclude Level 4 merchants. Several other states have attempted to enact PCI legislation that has either stalled or not passed such as Texas, California, Illinois and Connecticut.
Is there a future for PCI compliance to be called out in a broader scope across the states as a law? Government’s move slowly and PCI compliance is ever evolving as new PCI changes have recently been published. It would be very difficult for legislatures to keep up with the technology as it changes. It is speculated that many more states will adjust the classification of credit card information as personal information and create punitive measures for those that are negligent or have non-existent security measures to protect the data.
So what should a company do when comparing an industry standard against a current law? You must obey the law. You have a contractual requirement to perform the assessment and answer the simulated question “Is it In Place or Not in Place”. You must answer the intent behind that question without violating any local, state or national laws. If you can answer the question without violating any laws then do so. If you cannot meet the requirement or compensating control then write the reason you cannot answer the question insert the compensating control is because of (insert name of law here).
In both instances you would still need to mark the requirement as in place and note the compensating control or law.
Some merchants are frustrated by PCI requirements while others see them as basic security requirements that should already be in place. However being compliant is not optional. Card associations have threatened larger merchants with the imposition of monthly fines until compliance is reached. There could also be the cost of increased processing fees. The most significant threat of non-compliance would be the fines and penalties levied against a merchant if they are found to be non-compliant at the time of a breach.
Who enforces PCI-DSS?
Enforcement of PCI-DSS and any non-compliance penalties are carried out by the individual payment brands and not by the PCI Security Standards Council.
Who is at Risk?
Any business or entity that processes transmits and/or stores any credit card data.
Penalties for Non-Compliance
All the dates have passed for becoming PCI-DSS Compliant with the last deadline passing on December 31, 2007. Businesses can be fined up to $500,000, depending on the size or significance of the breach, and face costly legal action for non-compliance, severe penalties may include the loss of business to further accept or process credit cards. Remediation costs are currently estimated at $90 to $302 per record. Merchants that are currently at level 2, 3 or 4 that fail to comply can have their merchant level raised to level 1. This could be bad for business by inducing additional costs of a more demanding level. In addition the business risks a negative reputation as well as negative publicity which will usually mean lowered customer confidence levels, lawsuits cancelled accounts, fines or insurance claims.
What If My Business Is Breached?
In the event of a security breach you must take the following immediate action
1) Immediately contain and limit the exposure.
2) Alert the necessary parties immediately.
a. Your internal information security group and incident response team.
b. Your merchant bank.
c. Local FBI Office.
d. U.S Secret Service (for compromised Visa Data).
3) Provide all potentially compromised accounts to your merchant bank within 10 business days.
4) Within 3 business days of the reported compromise provide an incident report document to your merchant bank.
There are additional resources which may be available to assist you in the event of a potential compromise, for example VISA has an incident response team which includes a VISA fraud control team and a CISP Team to assist responsible members.
If any VISA member fails to immediately notify VISA of a suspected or confirmed loss or theft of any transaction information the member will be subject to a penalty of $100,000 per incident.
Risks and Costs
As an example, the TJX Companies suffered a huge data breach that started in 2005 when hackers spent 18 months exploiting weak wireless network security outside of TJX owned locations. Over 100 million credit card numbers compromised. TJX estimated the breach cost 118 million. Forrester Research, Inc. estimated it would cost TJX 1.35 billion in total losses after legal fees, call center costs and regulatory fines. AT&T, Chase Card Services, Heartland and others have all been affected by theft of data.
References:
State Security Breach Notification Laws, National Conference of State Legislatures
PCI Security Standards Council
State of Washington House Bill 1149
Nevada Security of Personal Information Law
Minnesota Plastic Card Security Act
Visa Incident Response
This article was published in the United Kingdom via the Suzugia Group LTD.
ReplyDeleteI admire this article for the well-researched content and excellent wording. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much. ISO 9001 toolkit
ReplyDeleteI have a hard time describing my thoughts on content, but I really felt I should here. Your article is really great. I like the way you wrote this information. PCI DSS toolkit
ReplyDelete