PCI Compliance

PCI Overview
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide data security standard that applies to any organizations that store, process or transmits cardholder data. The purpose of the PCI DSS is to provide guidelines for organizations on the implementation of additional security so as to protect cardholder data residing in IT Systems. By implementing PCI DSS recommendations, an organization is able to demonstrate sound business practice and good corporate citizenship in protecting card holder data, both to its customers and compliance regulators.

PCI Brief History
PCI originally began as four different programs: Visa’s Card Information Security Program, MasterCard’s Site Data Protection, American Express’s Data Security Operating Policy, and Discover’s Information and Compliance. Each company’s intentions were roughly similar: to create an additional level of protection for customers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. On the 15th of December 2004, Visa, MasterCard, American Express and Discover aligned their individual policies and created Payment Card Industry Data Security Standard.

In September 2006, the card brands aligned again to create the Payment Card Industry Security Standard Council. The council took the responsibility of fostering broad adoption of the PCI DSS V1.1 standard. Payment Card Industry Security Standards Council, is an independent organization backed by all the major card issuers, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International.

Why Should I comply with PCI DSS?
PCI DSS is set to significantly re-define the modern worldwide business environment. Following rising levels of electronic crime, customers are increasingly wary of conducting business with a company or a website that is not PCI compliant. Increasingly, moreover, major corporations are refusing to conduct business with companies that are not PCI compliant.

Failure to comply with PCI can result in heavy fines, restrictions, or even permanent expulsion from card acceptance programs. Already, a significant number of companies exist who have suffered financial trauma from fines, cost of replacement cards, payments of fraudulent transactions, litigation cost, associated brand damage, reduced reputation, loss of customers, and even closure of their business.

Complying with PCI provides a ‘seal of security’ for your business, which for some companies has to lead to a stronger increase in their sales. Companies have found that they can gain a competitive edge by contributing to the crack down of credit card theft, identity fraud, and other types of electronic crime. Finally, your business will be contributing the improvement of the general perception of consumers regarding e-commerce – and that will benefit everyone.

Understanding PCI DSS V1.1
PCI DSS Version 1.1 can be summarized into twelve points. To comply, companies must:
  • Requirement 1: Install and maintain a firewall configuration to protect data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 
  • Requirement 3: Protect stored data 
  • Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks 
  • Requirement 5: Use and regularly update anti-virus software 
  • Requirement 6: Develop and maintain secure systems and applications
  • Requirement 7: Restrict access to data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes 
  • Requirement 12: Maintain a policy that addresses information security

Where Can I start to meet compliance?
When evaluating measures for ensuring PCI compliance, it is important to note that the very need for the PCI standard was driven by the rising number data thefts and fraud that had been occurring in the payment industry—not to mention the devastating costs of those breaches, both on identity theft victims and on the financial services sector as a whole. In reality, being compliant is not the end goal: ensuring data breaches don’t happen is. It is important to view the PCI standard in relation to the best possible security practices. Ultimately, in implementing the standard, a company should be ensuring not only compliance but longer term data security, especially as the security industry continues to grow and evolve.

While there are often a number of approaches that organizations can take to ensure compliance in the near term, companies are well served by taking a “highest common denominator” approach to compliance as a means to ultimately make the best use of security investments and to best minimize the risks of security breaches.

What are Possible Technical Solutions?
OWL Risk Management Consulting provides a range of products to meet your technical requirements for PCI compliance. Often it can be difficult to find solutions that meet your technical and financial needs. ORMC provides a number of different options that makes it easier for you to comply.

Where Can I Get Help?
OWL Risk Management Consulting is able to provide initial training on the understanding of PCI DSS 1.1 standard. Our friendly consultants are able to assist in the implementation of every aspect of the 12 point plan.

Please do not hesitate to Contact Us should you require any further information or services.

Website Links
International PCI Compliance Guide
The PCI Standards Council
Contact Us
__________________________________
Toll-free: 1-866-579-7475
Fax: 1-919-776-2740

E-mail: info@owlrisk.org



Call Toll Free 1-866-579-7475 * ©2008 OWL Risk Management Consulting, LLC. All rights reserved.