Your PCI DSS Compliance Requirements What is PCI DSS Compliance? “PCI DSS” stands for Payment Card Industry (PCI) Data Security Standard (DSS). It was developed by the major credit card companies (VISA, Mastercard, Discover, American Express and JCB) in 2004 as a guideline to help organizations that process card payments prevent credit card fraud, hacking, and various other types of card security breaches. A company processing, storing, or transmitting card numbers must be PCI DSS compliant or they risk losing the ability to process credit card payments. Merchants and Service Providers must validate PCI compliance with an audit by a PCI DSS Qualified Assessor Company. Each merchant must complete the annual Self-Assessment Questionnaire (SAQ) and submit to quarterly system penetration scanning depending on the type of equipment they use to process credit cards. Who has to comply? The credit card companies have made it clear that ANY entity that stores, processes, or transmits cardholder data regardless of their transaction volume, are required to comply with the PCI requirements. Failure to comply with the PCI security standard may result in substantial fines or permanent expulsion from card acceptance programs. Recent studies on financial fraud have indicated that hackers are increasingly targeting small, commercial Web sites, increasing the need for all merchants and service providers to become fully compliant with the Payment Card Industry (PCI) Data Security Standard (DSS). What if I don’t comply? These new card data security standards come with serious consequences. Failure to comply with PCI-DSS requirements can result in stiff contractual penalties or sanctions from members of the payment card industry. These include: Fines of $500,000 per data security incident Fines of $50,000 per day for non-compliance with published standards Liability for all fraud losses incurred from compromised account numbers Liability for the cost of re-issuing cards associated with the compromise ·Suspension of merchant accounts Non compliance is simply not worth the risk. It only takes one incident of data compromise to potentially put you out of business. The fines and penalties alone of a data breech are generally more than a merchant can financially bear and the business fails because of it. If the merchant looses their merchant account altogether, business failure is imminent because retail simply cannot exist without the ability to accept credit and debit cards. How do I comply? The yearly Self-Assessment Questionnaire (SAQ) that you must submit to your processor consists of 75 questions that address 12 security requirements and all questions must be honestly answered YES, even the questions that seem to have no bearing on a particular merchant. To comply with PCI DSS, you must have a series of written security policies, procedures, employee handouts, and training aids all related to the secure handling and processing of credit card data. You must also ENFORCE those policies and procedures in your organization and prove that you do so with proper logging and security trails. What happens if I am breached? Currently 38 states have enacted some sort of breach disclosure law. In general, most state laws follow the basic tenets of California's original law which was enacted in 2002. Companies who are breached must immediately disclose the data breach to customers, usually in writing. Companies must also notify their processor who will then notify the bank. At that point the processor or bank will initiate a PCI DSS audit on the merchant to see if the merchant was in fact PCI DSS compliant at the time of the breach. Failure of the merchant to disclose a known breach would create the appearance that the merchant is involved in the breach. This situation would put the merchant in a possible criminal defense position by not disclosing or hiding the breach. If the PCI DSS audit concludes that the merchant was fully compliant at the time of the breach then the merchant has a reasonable defense and has shown proper diligence in their card acceptance procedures. If the audit shows that the merchant was not actually in compliance at the time of the breach, despite having previously submitted their compliance SAQ, the merchant is then subject to very large fines, penalties, and actual damages as well as the possibility of losing their card acceptance privileges permanently. It would be very difficult if not impossible for a breached merchant to survive the financial burden of the breach let alone be able to survive as a business without their merchant account. At present, there are no known cases of a fully PCI DSS compliant merchant actually being breached. What do I do if I am compromised? Visa publishes a 23 page document discussing this issue called Visa Fraud Investigations and Incident Management Procedures. What are the security requirements of PCI DSS? There are 12 Requirements of the PCI DSS Standard organized into 6 logically related groups, which are called, “control objectives.” They are as follows: Build and Maintain A Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update antivirus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security Merchants cannot rely on their bank, processors or vendors to make them compliant or even inform them of their responsibility. Merchants alone are responsible for their own compliance. This Payment Card Industry Data Security Standard (PCI DSS) applies to every organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data. PCI Compliance is not optional and the penalties are high should your organization be breached or if your non-compliance becomes known to VISA. Non-compliance puts your entire organization and your business at risk. For more Information from Visa: http://usa.visa.com/merchants/risk_management/cisp_merchants.html For more information from the Better Business Bureau “Security & Privacy Made Simpler” - Click here What you better know! 2007 Annual Study: Cost of a Data Breach" says that data breach incidents cost U.S. companies US $197 per compromised customer record in 2007, compared to US $182 in 2006.   Average total per-incident costs in 2007 were US $6.3 million, up from US $4.8 million in 2006. The total cost of lost business increased by 30 percent to an average of US $4.1 million in 2007, around two-thirds of the average total cost per incident.   Breaches by third-party organizations such as outsourcers, contractors, employees, and business partners were reported by 40 percent of respondents, up from 29 percent in 2006.   The problem affects older POS PED’s which are not tamper-evident or tamper-resistant. Supplied by manufacturers such as VeriFone, Ingenico and Hypercom.   Migration of the PED Security Requirements and the corresponding evaluation program from JCB, MasterCard, and Visa to PCI SSC is in progress. The effective date of the PCI SSC PED Security Requirements will be July 2007.   Approvals for new deployments of pre-PCI approved POS PED’s are set to expire as of December 31, 2007. Is there a sunset date by which these devices must be removed from deployment?   Visa has set the deadline of 2010 for merchants to comply with the standard and remove older PED’s.   Merchant Support Network, Inc. • 1633 Bayshore Highway, Suite 327, Burlingame, CA 94010 Toll Free (800) 577-5977 • Email: sales@merchantsupport.com • Web: www.merchantsupport.com • Sales Partner Login: www.msnipartners.net Merchant Support Network Incorporated is a registered ISO/MSP of JP Morgan Chase Bank. American Express requires seperate approval. © Copyright 2009. Merchant Support Network, Inc. All Rights Reserved.