Posts Tagged ‘pci compliance’

The PCI Compliance Myth That Could Cost You Money

Wednesday, October 1st, 2008

picture-045sm.jpg Everybody’s talking about Payment Card Industry (PCI) compliance and, if you’re an e-commerce merchant, you probably know by now that you have to bring your online store into compliance with the PCI Data Security Standard (DSS). But what does that mean to you? There’s a lot of confusion about what, exactly, you have to do to achieve full compliance.

One big myth that’s spreading among merchants is that payment gateway, shopping cart or web host compliance alone is all it takes. Get that established and you’re all set. Wrong! That’s a common misconception—and a potentially expensive one once PCI starts issuing fines and penalties against the noncompliant.

Think of it this way: if your house has four doors and only three of them are locked, is it secure against intruders? Of course it’s not. Any one of those locks is a great start, but no more than that. Until all four doors are locked up tight, that house will never be secure. The same goes for your e-commerce site. A compliant payment gateway, shopping cart or web host by itself is good to have but, without compliance in all areas, you’ve got a virtual unlocked door. With a great big welcome mat for intruders just outside.

The good news is that there are companies out there that can help. Just as there are websites that can guide you through completing and filing your taxes, there are many—like those of qualified security assessors (QSAs) and approved scanning vendors (ASVs)—that can walk you through the necessary steps to certified PCI compliance. It’s a complex but ultimately understandable process.

The Road to Compliance—All Gain, Little Pain
The PCI standards are pretty clear. Here’s what they are and some actions you’ll have to take to meet them:

• Build and maintain a secure network: take steps like installation and maintenance of firewalls, and ensure that vendor-supplied default passwords are changed.
• Protect cardholder data: be able to show that you’re protecting stored cardholder data and properly encrypting it for any transmission through networks.
• Maintain a vulnerability management program: use and update anti-virus software and ensure that all systems and applications are secure.
• Implement strong access control measures: take steps to definitively restrict internal access to cardholder data to need-to-know areas/personnel, establishing unique passwords and other identifiers.
• Regularly monitor and test networks: establish a program for testing all security systems and processes; monitor and keep records of all tests run and all access to networks and cardholder data.
• Maintain an information security policy: develop a policy and keep it updated as business conditions change.

Easy, right? Okay, it may seem like anything but. No worries—just take a breath and do what it takes to assess where you stand.

Here’s What You Have to Do (more…)

Tags: , , , , , , , , , ,
Posted in Marketer, Online, Payment Processing, Retailer, Support Services | 3 Comments »

PCI Standard vs. 1.2: What Do We Anticipate?

Thursday, August 14th, 2008

terriquinn.jpg The wait for the next PCI standard revision is almost over. Like so many companies, we really want a sneak peek at the newer version. And like so many companies, we’re waiting until the PCI Standard Community meeting in September to see it. Is it going to encompass major changes that are going to cause retailers to choke? I don’t think so.

The PCI Security Standards Council has been consistent with its guidance and public statement—no major overhauls to the standard, no new requirements added, but better clarification of some areas, and increased consistency with the interpretation of the requirements by QSAs. If we look at some things the council has done in 2008, they’ve already given us a few sneak peeks.

The PCI council released two information supplements in April, one on 11.3 Penetration Testing and one on 6.6 Web Application Firewall and source code review. We shouldn’t be surprised to see more details in the new standard around these areas. Both of these supplements give more clarification and guidance.

The PCI council also created special interest groups (SIG) to focus on specific areas of the standard. One of these is the wireless SIG. This is a good idea, and I hope to see advancements on the wireless side of the standard. Requiring companies to check once a quarter for wireless devices can be improved significantly. Once a quarter? That’s saying the bad guys have a chance to get caught once every 90 days. I’d like those odds improved a bit in our favor. Advice on what to do if a rogue access point is found would also help.

Overall, I will say I’m a fan of the PCI standard. If you compare it with other compliance regulations, you have to like it. The PCI standard is 17 pages long, written in English. And it gives the message clearly and concisely. It’s a good way for a company to create a security best practice foundation in their organization. An alternative is to use ISO 27001 or other frameworks and read through hundreds of pages written in legalese, and you’re still not quite sure what to do next. Give me PCI any day. It builds a good, strong foundation. Does it guarantee strong security? No, of course not. If it got that inflexible, everyone would complain that they couldn’t implement it. You can’t blame a weaker security posture on a compliance regulation. That’s like saying you blame the car when you run out of gas, obviously ridiculous.

The PCI standard is also a global standard that spans many industries beyond retail. With this, the PCI standard still hasn’t required major changes. Those are clear signs of best practice guidelines. So, the wait is almost over, and I for one am hoping it’s a bit underwhelming and not so exciting.

Terri Quinn-Andry is responsible for compliance solution development at Cisco Systems, Inc.

Tags: , , , , , , , ,
Posted in Government Affairs, Marketer, Mobile, Online, Payment Processing, Retailer, Support Services | 1 Comment »

What is PCI DSS Credit Card Compliance All About?

Monday, April 7th, 2008

gfanolis.JPG Breaking it down, I will try to provide a brief explanation on what all this talk concerning credit card compliance is about and what it means to direct marketing companies, now and in the future, and most importantly, how you can tell who is and who isn’t compliant.

First, the acronym PCI DSS stands for Payment Card Industry Data Security Standard. The standards inherent are set and endorsed by Visa, American Express, Discover Financial Services, JCB and MasterCard Worldwide. In other words, ALL OF THE MAJOR CREDIT CARD COMPANIES.

The simple goal is to safeguard consumer credit card information and personal data by developing rigorous security standards for all LEVEL 1 processing companies. What is the definition of a LEVEL 1 processing company? Boiled down, it is any company that handles and stores your credit card data. So, your fulfillment company, your telemarketing company and any database company that falls within that definition needs to be certified. The company needs to be LEVEL 1 certified, 3rd Party assessed. Being self-assessed does not make a company compliant. Go to Visa website www.visa.com/cisp to see if your vendors are compliant.

It is your obligation to ensure your vendors are LEVEL 1 compliant, certified and on the list. If not, you’re exposing your company to BIG $$$ FINES. Any breach by any of your non-compliant vendors will cost you and in the future, all non-compliant companies will be levied hefty fines. Call your merchant processor and check your merchant agreement for details. All compliant companies must be validated by Trustwave Trusted Commerce or a PCI-approved auditing firm. Once validated, they will prominently display the validation seal on their website and other media.

George Fanolis is vice president of business development for Fosdick Fulfillment

Tags: , , , , , , ,
Posted in Direct Response, Online, Payment Processing, Retailer, Support Services | 21 Comments »