Payment Card Industry Data Security Standards Overview

Thursday, March 17, 2011

Jon Stout


The Payment Card Industry (PCI) Data Security Standard (DSS) provides a set of Control Objectives for securing information systems involved in the handling of payment card data or transactions. 

It was originally created in 2004 when five major credit card companies (Master Card, Visa, American Express, Discover, and JCB International) combined their individual information security efforts to establish a common standard across all organizations using their payment cards. 

This effectively resulted in a global standard for payment card data. The PCI Security Standards Council (SSC) provides management of the standard and oversight of its implementation. As of October of 2008, version 1.2 of the PCI DSS was current.

In a nutshell, the PCI DSS requires companies to build and maintain a secure network using a firewall configuration and secure passwords, protect cardholder data both in storage and transmission, manage system vulnerabilities using secure architectures and applications, implement strong control measures for access to cardholder data, regularly monitor and test network resources and security processes, and maintain a formal information security policy.

The purpose of the PCI DSS is not only to reduce the amount of payment card fraud and identity theft, but also the costs of mitigating the institutional risks associated with those activities. 

According to the British Crime Survey, payment card fraud amounted to £610 Million ($960 Million) in 2009, affecting 6.4% of card owners-a 40% rise over the prior year. Identity theft, closely related to credit card fraud, affects about 2 out of every 1000 people in the UK every year, while in the US the figure is closer to 30 out of every 1000! 

Merchants bear the direct liability for fraudulent transactions, and face stiff penalties and clean up costs in repairing the damage caused by loss of cardholder data. 

Although those costs are ultimately passed onto the consumer, the economic damages are real, and the loss of consumer trust towards careless firms-or those perceived to be careless-can be priceless.

All merchants or service providers that accept a payment card branded by one of the participating card companies listed above are required to comply with the PCI DSS: Those companies found not to be in compliance face daily fines until the inadequacies are corrected, or the brand determines an acceptable compliance plan is in place. However, individual card company policies do vary: 

Merchants with smaller numbers of card transactions annually (nominally 20,000) may, or may not, be required to formally document their compliance. The largest firms will be required to have an on-site audit, while more moderately sized firms will be able to document their compliance via a Self Assessment Questionnaire (SAQ).

Merchants or service providers performing formal audits will require the services of a Qualified Security Assessor (QSA) for the audit, while companies qualifying for self assessment may choose to consult a QSA to assist with, or conduct, their SAQ. 

Firms requiring an audit or assessment will also require periodic external scans of their systems to verify that required security controls are functioning properly. 

These scans must be performed by Approved Scanning Vendors (ASV). The PCI SSC conducts a recurring certification program for each QSA and ASV, and maintains a list of currently qualified providers on their website.

Secure data and the immense potential financial gains for hackers are serious issues for the Payment Card Industry and compliance with the PCI Data Standards require qualified analysis and technical support.

Aspiration Software LLC has over 10 years experience in the Intelligence Community and the Department of Defense providing high quality Information Technology, Systems Engineering and Cyber Security solutions. Our core capabilities include Software Development and Systems Integration, Database Development and Cyber Security and Information Assurance.

Possibly Related Articles:
PCI DSS Compliance QSA PCI SSC Standards Data
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.