You are currently browsing the Electronic Payment Security weblog archives for September, 2006.
- February 7, 2007: New Techniques for Guarding Financial Data
- February 6, 2007: Increased Scrutiny From Card Associations in 2007
- January 28, 2007: The State of PCI Compliance 2007
- January 23, 2007: Background Checks on IT Personnel
- January 5, 2007: 100 Million Notifications of Data Breaches in US
- December 17, 2006: Inside Jobs: The Risk of Data Breach From Insider Threats
- December 12, 2006: Card Associations Step Up PCI Enforcement
- December 1, 2006: CompTIA Survey Emphasizes Importance of Security Training
- December 1, 2006: CompTIA Survey Emphasizes Importance of Security Training
- November 16, 2006: Average data breach costs $5 million
Credit Card Companies
FAQ
Helpful Sites
Archive for September 2006
Recent Changes to the Payment Card Industry Data Security Standard
September 29, 2006 by tim.
Earlier this month, the PCI Security Standards Council announced version 1.1 of the Payment Card Industry Data Security Standard (PCI DSS). It is a bit challenging to find a description of the changes from the original version, at least on the “official” sites. However, there have been some fairly informative articles in industry publications that address some of these points.
In an article in InfoWorld entitled Card Industry Targets App Security, Paul F. Roberts highlights how the new standards focus on application security, especially as it relates to track data. Citing an analyst at Gartner, Mr. Roberts writes that track data “is valuable to hackers and identity thieves because it can be used to make counterfeit cards.” Martin Elliott, director of corporate risk and compliance at Visa, also spoke with Mr. Roberts about the risks related to track data, and Mr. Roberts writes, “In fact, many merchants may be unaware that their payment applications collect and cache the track data, leaving the merchant unprotected while giving the merchant a misplaced sense of security.” Mr. Roberts has exposed the myth of security from packaged applications. Visa has published its Payment Application Best Practices to address these security concerns, as well as a List of CISP-Validated Payment Applications.
Another article, published in Transaction World under the title What’s Next With PCI Compliance, also addresses the Payment Application Best Practices. She points out how the credit card companies have imposed tighter restrictions on even lower volume merchants, stating that ”POS developers as well as smaller and mid-size merchants are now under scrutiny.”
Certainly, by imposing the tighter standards on payment applications and smaller merchants, Visa and MasterCard are forcing these organizations to spend drastically more on PCI compliance. However, with the proliferation of hacking, the entire payment network is only as strong as its weakest link, so even these holes must be plugged. As an alternative, these organizations — especially merchants — should investigate their options for outsourcing their payment processing to a certified PCI compliant service provider, which may offer substantial savings versus the costs of self-compliance.
Posted in Payment Card Industry / Credit Card Security | No Comments »
PCI Compliance for Service Providers FAQ
September 25, 2006 by tim.
What is a PCI Service Provider?
Any company that stores, processes, or transmits cardholder data on behalf of another entity is defined to be a Service Provider by the Payment Card Industry (PCI) guidelines. Visa’s website provides the clearest information about how the PCI Data Security Standard (DSS) applies to Service Providers. However, Visa is just one of the companies participating in PCI, so a Service Provider must understand and adhere to the security program for all major credit card companies with its own set of requirements for compliance and registration.
How do we know what Service Provider Level we fit in?
Each of the credit card companies that participate in PCI has its own rules that define Service Provider Levels. For example, Visa, whose rules are available on its CISP for Service Providers page, defines the levels based on the number of annual transactions. However, there is one very important distinction in Visa’s rules that is overlooked by many service providers. By Visa’s definition, any service provider that stores, processes, and/or transmits cardholder data as part of a payment transaction is a Level 1 Service Provider. So in other words, a company that has access to cardholder data as part of a payment is automatically defined to be Level 1.
MasterCard is also very clear in defining the levels for Service Providers for its SDP program. MasterCard defines two categories of Service Providers: Third Party Processors (TPP) and Data Storage Entities (DSE). The Service Provider Levels Defined page defines all Third Party Processors to be Level 1.
What are the requirements for becoming a Level 1 Service Provider in compliance with the PCI DSS?
There are two primary qualifications of a PCI Level 1 Service Provider. The first is the successful completion of an On-Site PCI Data Security Assessment that is validated by a Qualified Security Assessor. To pass the Data Security Assessment, the company must demonstrate compliance with 100% of the requirements detailed in the PCI Security Audit Procedures, which contains over 250 specific points of compliance. The second qualification is successful completion of a PCI Security Scan by an Approved Scanning Vendor. Given the complexity of meeting the requirements, the compliance process often takes more than one year to complete.
Posted in Payment Card Industry / Credit Card Security | No Comments »
PCI Compliance for Merchants FAQ
September 25, 2006 by tim.
We are a small company or organization with a fairly low volume of transactions. Do we have to comply with PCI?
Absolutely. The credit card companies have made it clear that ANY entity that stores, processes, or transmits cardholder data must comply with the PCI requirements. Furthermore, the merchant agreement typically has language that binds the merchant to comply with PCI. The specific PCI compliance requirements for merchants vary based on the transaction volume of the merchant.
While the compliance requirements are somewhat relaxed for smaller merchants, there are still many complexities that even a small merchant should consider, and I will mention only three major ones here. First, every merchant must comply with all of the various card companies’ requirements (see this post for more detail), so someone in the organization must invest time in understanding and complying with the maze of these requirements. Second, every merchant must validate compliance by hiring an Approved Scanning Vendor and completing a security compliance assessment. The scanning vendors charge widely ranging fees for their services, and many merchants may find it necessary to hire a security consultant to complete the assessment, not to mention the costs of purchasing hardware, software, or consulting to meet the PCI standards. Third, every merchant is subject to the data breach laws of any state whose resident(s) the merchant has collected information that is subject to these laws. Clearly, the costs of PCI compliance should be considered before a merchant undertakes any project involving cardholder data.
Is there any way for a merchant to avoid complying with PCI?
Well, sort of. Visa and the other companies have made it clear both on their websites and in their merchant agreements that the merchant has primary responsibility for complying with the PCI requirements. The easiest way for a merchant to comply is to outsource the handling of cardholder information to a Service Provider that is fully PCI compliant. The best way to find such a company is the List of Compliant Service Providers published by Visa.
We already use a service provider for accepting online payments. Does this ensure that we are PCI compliant?
It depends. Unfortunately, many service providers do not fully understand PCI compliance. In fact, some service providers that claim to be PCI compliant have not completed the validation and registration requirements. The only way to ensure that you are complying with the PCI requirements is to use a Service Provider that is on the List of Compliant Service Providers published on Visa’s website.
We already use SSL on our website pages that transmit cardholder data. Does this make us PCI compliant?
No. The Payment Card Industry (PCI) Data Security Standard (DSS) is comprised of twelve general requirements. SSL encryption is essential, but it merely satisfies only a small part of one of the twelve requirements (#4).
We do not store any cardholder data. Does this make us PCI compliant?
No, even if you do not store cardholder data, you must still be fully compliant with all of the PCI DSS. Visa directly states this in their Frequently Asked Questions (see question 3).
We process credit cards on a server that is behind a firewall on our in-house network. Does this make us PCI compliant?
No. A firewall is certainly required for PCI compliance, but it only addresses one of the twelve general requirements. Furthermore, the PCI DSS places very rigorous requirements on the functionality of the software applications on that server and on the configuration and management of that server. Visa does publish a List of Validated Payment Applications, yet the document includes a blatant disclaimer that use of an application on the list does not yield PCI compliance. Although running payment applications on an in-house server may offer some business advantages, this approach may substantially increase the complexities of PCI compliance because it then mandates compliance for the entire internal network.
What advantages does a merchant gain by using a validated PCI-compliant Service Provider?
To be clear, any service provider that has completed the PCI compliance process is named on Visa’s List of Compliant Service Providers. By using one of these Service Providers, a merchant is deemed to be fully PCI compliant. Furthermore, by using such a Service Provider, a merchant can qualify for Safe Harbor, thereby eliminating liability in the event of a data compromise.
Posted in Payment Card Industry / Credit Card Security | No Comments »
Payment Card Industry (PCI) Compliance FAQ
September 22, 2006 by tim.
What is the Payment Card Industry Data Security Standard?
The Payment Card Industry (PCI) Data Security Standard (DSS) is the industry-mandated standard for protecting credit card account data that is stored, transmitted or processed electronically. The PCI Security Standards Council, the organization that owns, develops, maintains and distributes the PCI Data Security Standard (DSS), was jointly founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International.
Who has to comply with the PCI DSS?
Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is mandatory for any entity that stores, processes, or transmits cardholder data. For more detail, visit the Visa USA compliance website.
Does PCI replace the security programs of Visa, MasterCard, and the other credit card companies?
No. The PCI DSS is an industry-wide standard that has been adopted by Visa, MasterCard, and the other major credit card companies. However, each of the companies still has its own security program, which may include additional requirements and distinct processes for compliance and registration. This is probably one of the most confusing aspects of PCI. While complying with PCI is challenging enough, it is still necessary to work with each of the credit card companies individually to abide by their specific rules. Below are links to more information about the security programs of some of the major credit card companies:
Visa Cardholder Information Security Program (CISP)
MasterCard Site Data Protection (SDP) Program
Discover Information Security and Compliance (DISC) Program
American Express Data Security Requirements
Who enforces compliance with the PCI DSS?
Each of the credit card companies has its own enforcement programs. Furthermore, each company has its own registration process and reporting requirements. See the previous question for links to each company’s security program.
Why should my organization comply with PCI?
If you are a merchant with a merchant account for accepting credit cards, then it is very likely that your merchant agreement has a provision that requires you to comply with PCI. In fact, Visa has revised its agreement to explicitly state that the merchant has primary responsibility for complying with PCI requirements (see article in June 2006 edition of The Green Sheet). The agreement may also specify penalties for non-compliance. More significantly, given the media attention that is focused on information security issues, you should take all commercially reasonable measures to protect your customers’ data from being compromised.
What are the liabilities for failure to comply with the PCI DSS?
Just as each of the credit card companies has its own enforcement programs, they also each have their own rules and penalties for failure to comply (see links above for more details). In general, a non-compliant entity may face restrictions on its ability to process transactions or to receive funds from transactions. In the event of a data compromise, the credit card companies have a demonstrated record of assessing substantial fines and terminating processing privileges. Keep in mind that a data breach may also lead to lawsuits and damages associated with the theft of personal information. Furthermore, there are a myriad of data breach disclosure laws passed by numerous states that mandate prompt notification of consumers whose data may have been compromised.
Posted in Payment Card Industry / Credit Card Security | No Comments »
Risk Assessment Related to Data Breach Laws
September 22, 2006 by tim.
Several of the IT trade publications can provide you with very good information on data security topics. As I come across articles of note, I will try to post them to this blog. Patrick R. Mueller wrote an article for Network Computing entitled Strategic Security: How to Survive Data Breach Laws. He emphasizes the importance of assessing the risks of a data breach for your organization — basically, taking a proactive approach instead of ignoring the laws and potential liabilities. The article also has links to other resources.
Posted in Data Breach Regulations | No Comments »
Welcome to ElectronicPaymentSecurity
September 22, 2006 by tim.
This blog is dedicated to providing the most up-to-date information about online payment security. Actually, it more broadly covers electronic payment security, because security requirements and regulations generally apply to all electronic payments – both online and offline. The convenience of electronic payments clearly has a price, as evidenced by the proliferation of credit card fraud, identity theft, and other crimes. Consider these statistics:
-
27.3 million Americans have been victims of identity theft in the past five years, with more than $56 billion in damages (see article in Transaction World)
-
According to a report on consumer fraud and identity theft published by the Federal Trade Commission, internet-related complaints accounted for 46% of all fraud complaints in 2005
-
The Privacy Rights Clearinghouse reports that data breaches since 2005 have involved more than 93 million consumer records
There is good news, however. Recently established industry requirements and government regulations, if properly followed, can alleviate and even eliminate the risks of fraud. What are these standards and regulations, and how can your organization comply with them? This site attempts to address many of the most common questions in familiar FAQ fashion. If you have a relevant question that is not addressed here, we will soon allow you to post a question about electronic payment security. We will do our best to have an industry expert respond to relevant questions and/or post a response on the site.
Posted in Electronic Payment Security - General | No Comments »