How to adhere to Payment Card Industry Data Security Standards Featured

8:00pm EDT March 26, 2010
How to adhere to Payment Card Industry Data Security Standards

As consumers rely more on debit and credit cards as opposed to cash, merchants are facing increased risk exposures if they don’t have proper security measures in place. Cyberthieves troll for information on merchant networks, which has resulted in significant security breaches that have made headlines.

In 2004, a consortium of credit card companies, including Visa, MasterCard, Discover and American Express, banded together to set Payment Card Industry (PCI) Data Security Standards. These standards direct merchants that process, store or transmit credit card information to maintain a secure environment. And if your business accepts credit or debit cards, the standards apply to you.

“Business owners have to comply with those security standards and implement safeguards to protect customer information,” says Ron Schmittling, security and privacy practice leader at Brown Smith Wallace LLC.

Smart Business spoke with Schmittling about how your company can meet PCI standards and protect against security breaches.

What is PCI compliance, and who must comply?

The three keywords for PCI compliance are process, store and transmit. If your organization processes, stores or transmits credit card information, you must maintain a secure environment as laid out by the PCI standards. So, if customers or vendors use debit or credit cards to make purchases from your business, you must be compliant. This includes meeting 12 standards, which can be broken down into six key areas: building and maintaining a secure network; implementing safeguards to protect cardholder data; maintaining a vulnerability management program; applying strong access control measures; regularly monitoring and testing network security; and enforcing an information security policy.

Your policy will ultimately drive the compliance process, so the first step is to take a security inventory of your business to determine how compliant it is, what security measures are in place and what weak spots must be addressed. An outside adviser with experience in security and privacy can provide feedback on how to structure a plan. This framework will set the tone for your internal compliance strategy and help protect your business.

PCI security standards are not laws; they are a method of self-imposed regulation by the consortium of credit card companies. There are no federal mandates in place, but there is a move in that direction since some states have started to pass laws or require organizations to comply with PCI Data Security Standards. This trend is expected to continue in association with the Data Breach Notification Laws movement.

What are the consequences of failing to comply with the standards?

At their discretion, payment brands such as Visa or MasterCard can fine acquiring banks $5,000 to $10,000 a month for PCI compliance violations. Banks are likely to pass these fees on to noncompliant merchants. Many banks have begun notifying noncompliant merchants of their need to comply or face fines.

You should review your merchant agreement and note any penalties and fees for noncompliance, which can include prohibiting merchants from processing credit card transactions, higher processing fees and other restrictions. Any fraud loss associated with a compromise in security may be borne by the merchant starting on the date of the security breach. Depending on the level of security negligence, the FTC could become involved and impose significant federal fines, up to $250,000 and/or up to five years in prison.

Not knowing is not a viable excuse for noncompliance and could cost you and your organization. It is your responsibility to understand your merchant agreement and what the PCI standards mean to your organization.

What steps can a company take to become PCI compliant?

Compliance responsibility depends on your merchant level, and there are four levels as defined by PCI Data Security Standards. Level 1 merchants are those that process more than 6 million transactions a year. It is important to note the annual transactions are measured in volume, not dollars. Level 2 includes merchants that process 1 to 6 million transactions per year. Level 3 covers merchants with 20,000 to 1 million e-commerce transactions per year. Level 4 includes any merchant with fewer than 20,000 e-commerce transactions per year, and all other merchants with fewer than 1 million transactions annually.

Companies in Levels 2, 3 and 4 follow the same compliance process that includes completion of an annual self-assessment questionnaire and having quarterly network scans performed by a PCI Approved Scanning Vendor (ASV). The results are submitted to the merchant’s bank. Level 1 merchants follow similar procedures, but also are required to have an annual on-site review completed by a Qualified Security Assessor (QSA), a PCI-certified provider and have an annual network penetration test performed. The QSA will submit the merchant’s Report on Compliance to its merchant bank. The PCI Council lists ASVs and QSAs at www.pcisecuritystandards.org.

Where should an organization start on its PCI compliance initiative?

The most important step is to set an internal policy of how you’ll address PCI compliance and information security. Too many times, organizations rush into identifying a new product they think will fix PCI compliance or information security problems instead of organizing their efforts around the organization’s overarching policies and processes.

Once that policy has been defined and implemented, an organization can begin to enforce it and truly drive its compliance initiatives. But compliance starts with your information security policy and security controls. Many organizations struggle with where to start, as PCI compliance can be a daunting and complex task. Reaching out to a QSA to kick-start your PCI compliance efforts is a great first step.

Ron Schmittling, CPA/CITP, CISA, CIA, is the security and privacy practice leader at Brown Smith Wallace LLC in St. Louis, Mo. Reach him at (314) 983-1398 or rschmittling@bswllc.com.