What is the PCI Data Security Standard?
The Payment Card Industry (PCI) standard is a ‘security guideline’ developed by credit card companies to ensure the proper handling and protection of cardholder account and transaction information. The PCI Data Security Standard was formed when Visa’s Cardholder Information Security Program (CISP) and MasterCard’s Site Data Protection standards merged into the PCI standard in December 2004. The PCI standard consists of a set of 12 rules (below) for the secure handling of credit card data. This can include credit card numbers and account holder personal identifiable information (such as address, SIN, SSN, etc). Several major credit card companies have issued a requirement (such as Visa’s CISP) for merchants and service providers to comply with the PCI standard.
Requirements for PCI Compliance
PCI data security requirements apply to all members, merchants, and service providers that store, process or transmit credit cardholder data in any capacity, whether face-to-face or card-not-present, IP or dial-up connected, paper and electronic media, etc. June 30, 2005 was set as a deadline for merchants and service providers to meet the relevant PCI standard and those failing to meet the required compliance may face fines (that can be up to $500,000 per incident) or restrictions by card companies such as Visa, Mastercard and AmericanExpress. Depending on the level* or ‘tier’ of the merchant or service provider, proving PCI compliance can require that a merchant undergo annual auditing by either a third party auditor or the merchant’s own internal audit department.
As an example, Visa has mandated that in addition to adhering to the twelve security requirements and sub-requirements, compliance validation for CISP is required for Level 1, Level 2, and Level 3 merchants*, and strongly recommended for Level 4 merchants. To achieve CISP compliance validation, all members, merchants and service providers must adhere to the PCI Data Security Standard. CISP compliance validation identites and corrects vulnerabilities by ensuring that appropriate levels of cardholder data security are maintained. Visa-approved Security Assessors can conduct CISP compliance audits.
*For an explanation of Visa-defined Merchant and Service Provider Levels, visit: http://usa.visa.com/business/accepting_visa/ops_risk_management/
12 Rules of PCI Compliance
|Build and Maintain a Secure Network||
|Protect Cardholder Data||
|Maintain a Vulnerability Management Program||
|Implement Strong Access Control Measures||
|Regularly Monitor and Test Networks||
|Maintain an Information Security Policy||
For further details on the PCI Data Security Standard Guidelines, visit: http://usa.visa.com/download/business/accepting_visa/ops_risk_management/