September 22, 2006 by tim.

What is the Payment Card Industry Data Security Standard? 

The Payment Card Industry (PCI) Data Security Standard (DSS) is the industry-mandated standard for protecting credit card account data that is stored, transmitted or processed electronically. The PCI Security Standards Council, the organization that owns, develops, maintains and distributes the PCI Data Security Standard (DSS), was jointly founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International.

Who has to comply with the PCI DSS?

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is mandatory for any entity that stores, processes, or transmits cardholder data. For more detail, visit the Visa USA compliance website.

Does PCI replace the security programs of Visa, MasterCard, and the other credit card companies?

No. The PCI DSS is an industry-wide standard that has been adopted by Visa, MasterCard, and the other major credit card companies. However, each of the companies still has its own security program, which may include additional requirements and distinct processes for compliance and registration. This is probably one of the most confusing aspects of PCI. While complying with PCI is challenging enough, it is still necessary to work with each of the credit card companies individually to abide by their specific rules. Below are links to more information about the security programs of some of the major credit card companies:

Visa Cardholder Information Security Program (CISP) 

MasterCard Site Data Protection (SDP) Program

Discover Information Security and Compliance (DISC) Program

American Express Data Security Requirements

Who enforces compliance with the PCI DSS?
Each of the credit card companies has its own enforcement programs. Furthermore, each company has its own registration process and reporting requirements. See the previous question for links to each company’s security program.

Why should my organization comply with PCI?

If you are a merchant with a merchant account for accepting credit cards, then it is very likely that your merchant agreement has a provision that requires you to comply with PCI. In fact, Visa has revised its agreement to explicitly state that the merchant has primary responsibility for complying with PCI requirements (see article in June 2006 edition of The Green Sheet). The agreement may also specify penalties for non-compliance. More significantly, given the media attention that is focused on information security issues, you should take all commercially reasonable measures to protect your customers’ data from being compromised.

What are the liabilities for failure to comply with the PCI DSS?

Just as each of the credit card companies has its own enforcement programs, they also each have their own rules and penalties for failure to comply (see links above for more details). In general, a non-compliant entity may face restrictions on its ability to process transactions or to receive funds from transactions. In the event of a data compromise, the credit card companies have a demonstrated record of assessing substantial fines and terminating processing privileges. Keep in mind that a data breach may also lead to lawsuits and damages associated with the theft of personal information. Furthermore, there are a myriad of data breach disclosure laws passed by numerous states that mandate prompt notification of consumers whose data may have been compromised.

Posted in Payment Card Industry / Credit Card Security | No Comments »

September 22, 2006 by tim.

Several of the IT trade publications can provide you with very good information on data security topics. As I come across articles of note, I will try to post them to this blog. Patrick R. Mueller wrote an article for Network Computing entitled Strategic Security: How to Survive Data Breach Laws. He emphasizes the importance of assessing the risks of a data breach for your organization — basically, taking a proactive approach instead of ignoring the laws and potential liabilities. The article also has links to other resources.

Posted in Data Breach Regulations | No Comments »

September 22, 2006 by tim.

This blog is dedicated to providing the most up-to-date information about online payment security. Actually, it more broadly covers electronic payment security, because security requirements and regulations generally apply to all electronic payments – both online and offline. The convenience of electronic payments clearly has a price, as evidenced by the proliferation of credit card fraud, identity theft, and other crimes. Consider these statistics: 

• 27.3 million Americans have been victims of identity theft in the past five years, with more than $56 billion in damages  (see article in Transaction World)
• According to a report on consumer fraud and identity theft published by the Federal Trade Commission, internet-related complaints accounted for 46% of all fraud complaints in 2005
• The Privacy Rights Clearinghouse reports that data breaches since 2005 have involved more than 93 million consumer records

There is good news, however. Recently established industry requirements and government regulations, if properly followed, can alleviate and even eliminate the risks of fraud. What are these standards and regulations, and how can your organization comply with them? This site attempts to address many of the most common questions in familiar FAQ fashion. If you have a relevant question that is not addressed here, we will soon allow you to post a question about electronic payment security. We will do our best to have an industry expert respond to relevant questions and/or post a response on the site.   

Posted in Electronic Payment Security - General | No Comments »