Data security, credit card fraud and identity theft are hot topics around the globe in any industry.
Companies are concerned about protecting databases that contain confidential information about customers and employees. The United States Federal Trade Commission estimates that as many as 10 million Americans have their identities stolen each year. Each day brings new headlines surrounding the topic.
In response to this pervasive threat, major credit card companies created the Payment Card Industry Data Security Standards (PCI DSS) to safeguard customer information. PCI DSS represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information.
PCI compliance mandates that merchants and service providers meet minimum standards of security to protect confidential customer information. The risk of data theft is an enormous liability for any organization. Credit card associations levy fines on the offending organization and the public loses confidence in the brand.
There are 12 steps required to ensure an organization remains compliant with PCI standards.
Merchant banks enforce the PCI standard on behalf of networks. Penalties for non-compliance can reach up to $500,000 per incident, not to mention the reputation costs that are associated with making headline news due to data integrity compromises.
PCI standards, which apply to store merchants, banks, service providers and card processors, aim to reduce the risk of a security threat by mandating the proper use of firewalls, message encryption, computer access controls and antivirus software. They also require frequent security audits and network monitoring and forbid the use of default passwords.
Paymetric focuses on steps three and four of the PCI Compliance Standard to help companies protect their cardholder data.
PCI Requirements to Protect Cardholder Data
(PCI Requirement 3 – Step 3)
Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data remains unreadable and unusable to that person.
3.5.2 Store keys securely in the fewest possible locations and forms.
3.6.3 Secure key storage
3.6.4 Periodic changing of keys
- As deemed necessary and recommended by the associated application (for example, re-keying); preferably automatically
- At least annually.
PCI DSS Standards
Companies processing more than 20,000 transactions annually are required to scan their networks quarterly and conduct annual audits of their PCI DSS compliance. The mandate applies to hundreds of thousands of organizations around the world and complying with the standard is no simple task.
Card issuers have made it clear that failure to comply with the PCI’s detailed technical requirements will result in substantial penalties, including fines.
Merchant banks enforce the standard on behalf of the networks. Penalties for non-compliance can reach up to $500,000 per incident, not to mention the reputation costs by making headline news resulting from data integrity compromises.
PCI requires companies to meet 12 standards under the following topics:
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data and sensitive information across open public networks.
* Paymetric provides solutions to help organizations protect stored cardholder data.
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security.
For more detailed information on PCI, please visit: www.pcisecuritystandards.org