Entrust
Securing Digital Identities & Information

Achieving Compliance

What is the PCI Data Security Standard?

The Payment Card Industry (PCI) standard is a ‘security guideline’ developed by credit card companies to ensure the proper handling and protection of cardholder account and transaction information. The PCI Data Security Standard was formed when Visa’s Cardholder Information Security Program (CISP) and MasterCard’s Site Data Protection standards merged into the PCI standard in December 2004. The PCI standard consists of a set of 12 rules (below) for the secure handling of credit card data. This can include credit card numbers and account holder personal identifiable information (such as address, SIN, SSN, etc). Several major credit card companies have issued a requirement (such as Visa’s CISP) for merchants and service providers to comply with the PCI standard.

Requirements for PCI Compliance

PCI data security requirements apply to all members, merchants, and service providers that store, process or transmit credit cardholder data in any capacity, whether face-to-face or card-not-present, IP or dial-up connected, paper and electronic media, etc. June 30, 2005 was set as a deadline for merchants and service providers to meet the relevant PCI standard and those failing to meet the required compliance may face fines (that can be up to $500,000 per incident) or restrictions by card companies such as Visa, Mastercard and AmericanExpress. Depending on the level* or ‘tier’ of the merchant or service provider, proving PCI compliance can require that a merchant undergo annual auditing by either a third party auditor or the merchant’s own internal audit department.

As an example, Visa has mandated that in addition to adhering to the twelve security requirements and sub-requirements, compliance validation for CISP is required for Level 1, Level 2, and Level 3 merchants*, and strongly recommended for Level 4 merchants. To achieve CISP compliance validation, all members, merchants and service providers must adhere to the PCI Data Security Standard. CISP compliance validation identites and corrects vulnerabilities by ensuring that appropriate levels of cardholder data security are maintained. Visa-approved Security Assessors can conduct CISP compliance audits.

*For an explanation of Visa-defined Merchant and Service Provider Levels, visit: http://usa.visa.com/business/accepting_visa/ops_risk_management/

12 Rules of PCI Compliance

Build and Maintain a Secure Network
    1. Install and maintain a firewall configuration to protect data
    2. Do not use vendor-supplied defaults for system passwords and other security

parameters

Protect Cardholder Data
  1. Protect stored data
  2. Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a Vulnerability Management Program
  1. Use and regularly update anti-virus software
  2. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  1. Restrict access to data by business need-to-know
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes
Maintain an Information Security Policy
  1. Maintain a policy that addresses information security

For further details on the PCI Data Security Standard Guidelines, visit: http://usa.visa.com/download/business/accepting_visa/ops_risk_management/