DATA SECURITY KNOWLEDGE BASE

The Payment Card Industry Data Security Standard (PCI DSS), a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment, was launched September 7, 2006, to manage PCI security standards and improve account security throughout the transaction process. An independent body created by Visa, MasterCard, American Express, Discover, and JCB, the PCI Security Standards Council (PCI SSC) administers and manages the PCI DSS. Interestingly, the payment brands and acquirers are responsible for enforcing compliance, rather than the PCI SSC.

An Overview of PCI SSC Data Security Standards

In an effort to enhance payment card data security, the PCI Security Standards Council provides comprehensive standards and supporting materials , which include a specifications framework, tools, measurements, and support resources to help organizations ensure the security of cardholder information at all times. The PCI DSS is the cornerstone of the council, as it provides the necessary framework for developing a complete payment card data security process that encompasses prevention, detection, and appropriate reaction to security incidents.

Tools and Resources Available From PCI SSC:

• Self Assessment Questionnaires to assist organizations in validating their PCI DSS compliance
• PIN Transaction Security (PTS) requirements for device vendors and manufacturers and a list of approved PIN transaction devices
• Payment Application Data Security Standard (PA-DSS) and a list of Validated Payment Applications to help software vendors and others develop secure payment applications
• Public resources
  • Lists of Qualified Security Assessors (QSAs)
  • Payment Application Qualified Security Assessors (PA-QSAs)
  • Approved Scanning Vendors (ASVs)
  • Internal Security Assessor (ISA) education program

Benefits of PCI Compliance

Complying with PCI Security Standards seems like a daunting task, at the very least. The maze of standards and issues seems like a lot to handle for large organizations, let alone smaller companies. Yet, compliance is becoming more important and may not be as troublesome as you assume, especially if you have the right tools.

According to PCI SSC, there are major benefits of compliance, especially considering that failure to comply may result in serious and long-term consequences. For example:

• PCI Compliance means that your systems are secure and your customers can trust you with their sensitive payment card information; trust leads to customer confidence and repeat customers
• PCI Compliance improves your reputation with acquirers and payment brands – just the partners your business needs
• PCI Compliance is an ongoing process that aids in preventing security breaches and payment card data theft in the present and in the future; PCI compliance means you are contributing to a global payment card data security solution
• As you make an effort to meet PCI Compliance, you’re better prepared to comply with additional regulations, such as HIPAA, SOX, and others
• PCI Compliance contributes to corporate security strategies (even if only a starting point)
• PCI Compliance likely leads to improving IT infrastructure efficiency

Difficulties Posed by PCI Non-Compliance

PCI SSC also points to potentially disastrous results of failing to meet PCI Compliance. After working to build your brand and secure customers, don’t take a chance with their sensitive information. By meeting PCI Compliance, you are protecting your customers so they can continue to be your customers. Possible results of PCI Non-Compliance include...

• Compromised data that negatively impacts consumers, merchants, and financial institutions
• Severely damaging your reputation and your ability to conduct business effectively, not just today, but into the future
• Account data breaches that can lead to catastrophic loss of sales, relationships, and community standing; plus, public companies often see depressed share price as a result of account data breaches
• Lawsuits, insurance claims, canceled accounts, payment card issuer fines, and government fines

PCI Compliance, as with other regulatory requirements, can pose challenges to organizations that are not prepared to deal with protecting critical information. But, protecting data is a much more manageable task with the right software and services. Choose a data loss prevention software that accurately classifies data and uses it appropriately so you can rest more easily knowing that your cardholder data is secure.