PCI DSS Compliance basics for credit card data security
Posted on 23 March, 2007 under Featured, PCI DSS Compliance by Bryan Johnson
PCI DSS Compliance is an industry mandated security standard that applies to all businesses that handle, process or store credit cards. There are 12 requirements but as an oversimplification, it boils down to two things 1) merchants cannot store certain credit card information including CVV/CVV2 codes (three or four digit numbers), track data from the magnetic strip, and PIN numbers, and 2) if permitted credit card information such as name, credit card number and expiration date is stored, the storage security needs to meet certain requirements. A number of recent high profile breaches have been raising awareness of the risks associated with PCI Compliance.
The motivation to become compliant
The major credit card companies have provided both carrots and sticks in order to compel merchants to become compliant. The incentives offered include ’safe harbor’ from certain penalties and fines if a merchant is compliant at the time of breach. Without compliance, if a merchant is breached and has credit card information stolen, depending on the size of the breach, PCI related fines can be as high as $500,000 per incident. In severe cases, merchants can even be given the ‘Death Penalty’ preventing them from accepting credit cards. In addition to the PCI fines, merchants may also be subject to remediation costs that have been estimated to be $90 to $302 per record (see graph below).
The Payment Card Industry Data Security Standard (PCI DSS)
What is PCI DSS?
It’s a comprehensive security standard that establishes common processes and precautions for handling, processing, storing and transmitting credit card data.
Who created it?
While Visa and MasterCard originally developed it, as of September of 2006, American Express, Discover, JCB, MasterCard and Visa jointly formed the PCI Security Standards Council.
Why was it created?
Because in the last few years there have been an spike in data security breaches. Organizations such as TJX, Bank of America, Citigroup, BJ’s Wholesale Club, Hotels.com, LexisNexis, Polo Ralph Lauren and Wachovia have been breached.
Who’s at risk?
Any business that processes, transmits, or stores credit card information. While the publicity of security breaches has recently been focused on larger companies, Visa reports that the majority of breaches are occuring at small businesses.
What are the 12 mandated security requirements?
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks
5. Use and regularly update anit-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security
What type of credit card information can be stored?
What do merchants have at risk if credit card information is breached?
Fines up to $500,000 per incident
Remediation costs estimated at $90 to $302 per record
Potential customer lawsuits
Company reputation and brand damage
There are different requirements for large and small businesses. These transactions volumes apply to highest number of a single card type per year, e.g. a merchant doing 5,000,000 Visa and 2,000,000 MasterCard transactions annually, even though cumulatively equal 7,000,000, would qualify as Level 2.
Definitions from above:
On-Site Security Audit
The audit must be completed by Level 1 merchants. A V/MC approved, Qualified Data Security Company should be engaged to complete the Report on Compliance. PCI Security Audit Procedures & Reporting
Self-Assessment Questionnaire
This must be completed and submitted upon request by Level 2, 3 and 4 merchants. It should address any system(s) or system component(s) involved in processing, storing, or transmitting cardholder data. It is required that Level 4 merchants complete the assessment to ensure their own compliance to the standard.Network Scans
Network scans check systems for vulnerabilities. The non-intrusive scan is conducted remotely to review networks and Web applications based in the externally facing Internet Protocol (IP) address provided by the merchant. All merchants are responsible for ensuring that a quarterly network scan is performed on their Internet-facing perimeter systems by a qualified independent scan vendor.Validation
The Card Associations have set specific dates for validation. Level 1 merchants were required to validate compliance by 9/30/2007, Level 2 are expected by 12/31/07, and Level 3 and 4 are processor/acquirer specific.
Next Steps
Here is a list of steps to get started:
1. Identify the individuals that will be responsible for PCI compliance in your organization and assemble a team that includes members from each compliance area.
2. Determine your merchant level.
3. Engage with a certified PCI Compliance provider (we can refer you to our partner if preferred).
4. Make sure that your organization has an Information Security Policy and that it is being enforced.
5. Immediately address any significant deficiencies discovered during the assessment or scan.
6. Retain record of self-assessments, scans, and follow-up activities. Be prepared to provide these documents upon request.
What should you do if you’re compromised?
In the event of a security incident, merchants must take immediate action to:
1. Contain and limit the exposure. Conduct a thorough investigation of the suspected or confirmed loss or theft of account information within 24 hours of the compromise
2. Alert all necessary parties. Be sure to notify:
•· Merchant Account Provider
•· Visa Fraud Control Group at (650) 432-2978
•· Local FBI Office
•· U.S. Secret Service (if Visa payment data is compromised)
3. Provide the compromised Visa accounts to Visa Fraud Control Group within 24 hours.
4. Within four business days of the reported compromise, provide Visa with an incident report.
Here is a step-by-step guide from Visa - What To Do If Compromised.
Additional resources:
A non profit organization, RSPA produced a 12 minute video aimed at educating smaller restaurant and retail merchants about the risks associated with PCI Compliance.
Other related posts:
PCI DSS Compliance and the cost of a credit card breach
PCI DSS Payment Card Industry Self-Assessment Questionnaire (SAQ)
Vulnerability and security assessment scans for PCI DSS Compliance
Braintree solutions:
The Smart Approach to PCI DSS Compliance
9 Comments so far
This is a great Bryan; what an excellent, informative, easy to read format for learning about PCI Compliance. I learned about your blog from Waller’s blog. Great job!
I just purchased some equipment from Bose.com. I agreed to payment terms whereby they will charge my AMEX for the next year a certain amount until the purchase is paid in full. I also have other merchants who hit my CC every month, such as On Star and AOL. Are they storing my CVV number? If not how are they able to charge my card each month without reentering the data through my consent?
@Tom - per PCI guidelines, merchants are allowed to store your name, credit card number and expiration date after your initial purchase. In your case, if the merchant will be billing you on a recurring basis they will need this information in order to process the subsequent transactions. Merchants will often ask for or require that you enter your CVV code upon the initial purchase (if it’s done via the web or phone) as an added layer of protection that verifies that you are the cardholder. After the initial transaction, merchants do not need to process transactions with the CVV code as they already verified you during the first transaction and as you noted, they are prohibited from storing this information so it couldn’t be required for future transactions.
I have an American Express corporate card. My employer tells me they are exempt from complying with PCI data security standards as it classifed as a corporate program. I am very aware of what is in the news these days regarding credit card breaches and personally received a notice letter that one of my other credits cards and personal information may have been compromised. This is troubling and concerning - why don’t corporate card programs fall under this umbrella? It seems like a huge loophole to me.
@ Mike - only businesses that accept credit cards as a form of payment are required to comply with PCI DSS Compliance. If a company only uses them, compliance requirements do not apply.
Does anyone know the “official” dates that level 1, 2, 3, and 4 merchants have to be compliant? I can’t seem to find a consistent answer. Thanks.
@ Eric - Level 1 merchants were required to validate compliance by 9/30/2007 and Level 2 by 12/31/07. There have not been any official validation dates set for Level 3 & 4 merchants as the Card Associations have really left it up to the individual processors to manage this. Many Level 3 & 4 merchants have received letters from their processors in the past few months advising them of their deadline but again it varies processor to processor.
My Visa credit card has been compromised in a state I have never been to. How can someone use it to buy gasoline without using a card?
Thanks.
@ Patricia - if the required information is stolen, your credit card can actually be reproduced so it could be swiped.