With no shortage of widely publicized data breaches such as
Target, TJ Maxx, Monster.com, Sony’s PlayStation Network, and even VeriSign (just to
name a few), business owners must realize that they cannot afford to sit back
and hope they never have a problem.
What is PCI?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment; essentially any merchant that has a Merchant ID (MID).
The
Payment Card Industry Security Standards Council (PCI SSC) was launched in 2006
to manage the ongoing evolution of the Payment Card Industry (PCI) security
standards with focus on improving payment account security throughout the
transaction process.[1] The PCI DSS is
administered and managed by the PCI SSC (www.pcisecuritystandards.org), an
independent body that was created by the major payment card brands (Visa,
MasterCard, American Express, Discover and JCB).
It is important to note, the
payment brands and acquirers are responsible for enforcing compliance, not the
PCI council.
PCI Compliance can be difficult, but it is worth it |
Why should I care?
In
an era of near exponential growth in technology, data security is an increasing
concern for consumers. Compliance with PCI standards is a requirement, not a
suggestion. Failure to comply with the standards can result in non-compliance
fees, increased risk for variety of data breaches, and could potentially lead to the
termination of a merchant account, preventing the merchant from accepting
credit card payments from customers.
There
are many options and levels required for validating compliance. Most acquiring banks have internal
or partnered programs to assist merchants with this process and provide
security consulting services for proactive and reactive measures. Approved scanning vendors (ASV's) such as Trustwave, SecurityMetrics, and ControlScan (amongst hundreds of other
providers) can provide approved services for validation for a fee. A complete list of ASV's can be found on the PCI SSC website.
The
PCI SSC has released PCI DSS 3.0, which includes the latest rounds of
security requirement updates will compel merchants to invest more money into
security and play a larger role in helping ensure credit card information is
processed securely. What should merchants do to prepare? Here are some
helpful tips:
- Perform a risk assessment to understand the risk posed to your systems and data
- Verify you have the appropriate security controls in place to help secure your systems
- Install security controls that monitor your systems and alert you about any suspect activity
- Train your developers in the Open Web Application Security Project's (OWASP) secure coding principles
- Perform a penetration test on your website to identify vulnerabilities that may lead to a compromise
- Work with a Qualified Security Assessor (QSA) to understand what you need to do to become PCI compliant[2]
In the end, PCI compliance is about protecting both the consumer and the merchant from unauthorized access to private information. A small investment and a little work can go a long way to ensure that we provide a safe and secure shopping experience for all.
[1] https://www.pcisecuritystandards.org/organization_info/index.php
[2] http://www.ecommercebytes.com/cab/abn/y13/m11/i08/s04
No comments:
Post a Comment