By Ross Federgreen
The Payment Card Industry (PCI) Data Security Standard is consistent with broad-based federal legislation dating back to the early 1990s. It is essential that you, as ISOs and merchant level salespeople, have basic knowledge of these laws so you can offer greater value to your customers.
The majority of merchants believe PCI does not affect them, is unfair, unenforceable, unnecessary and without merit. Also, those who recognize the importance of PCI and have attempted to become compliant have been given much erroneous information.
Take penetration scans, for example, which many mistakenly believe satisfy PCI compliance. In truth, penetration scans, while important, constitute neither the core nor the majority of PCI requirements.
Penetration scans are a minor PCI component that do not and will not prevent the majority of breaches, which are local in nature. By local breaches, I mean at merchants' facilities and perpetrated by employees or other parties in trusted relationships.
A significant number of major federal laws overlap with PCI. The emphasis in all of these is on appropriate procedure and policy to protect data integrity. The relevant acts include the:
Additionally, there is ongoing legislative activity in these areas both on the federal and state level. The most important piece of pending federal legislation is the 2007 Privacy and Data Security Act. On the state level, there has been much activity since the TJX Companies Inc. breach, placing additional regulatory and financial burdens on merchants.
A compelling concept voiced in the Privacy and Data Security Act of 2007 is the notion of "safe harbor" for compliance. Although the application of this to individual merchants is not clear, it is being offered in a carrot and stick fashion.
Three of the security statutes that have wide application are the HIPAA Title II, GLB Act Title V and FTC Safeguards Rule. A brief synopsis of each follows:
According to the Federal Register, HIPAA Title II affects up to four million entities. This includes everything from major medical centers to individual medical offices of every type.
Many of these facilities now accept credit cards, and the list is growing. Careful analysis of the requirements of HIPAA Title II reveals much overlap with PCI.
HIPAA Title II's final security compliance date for all entities covered by the act was April 2006.
HIPAA has potential to cause far-reaching impact on enterprises in unrelated industries such as banking, accounting and financial services. This originates with HIPAA's provision governing the "business associates" of health care organizations.
The final security rule is divided into three broad categories of safeguards: administrative, physical and technical. It contains 42 security specifications.
The rule addresses the security posture needed to support the HIPAA Title I, Privacy Rule. The 42 security specifications are divided into those that are addressable and those that are required.
Addressable rules must be implemented based upon specific characteristics of a given entity. Required rules must be implemented by all covered entities. Required security specifications that overlap with PCI include:
Almost every required security issue listed in HIPAA Title II is associated with specific areas within PCI.The "rule book" for implementation of HIPAA Title II is Medicare & Medicaid Services (CMS) Business Partners Systems Security Manual, Rev. 8, published April 6, 2007. The manual is 532 pages.
The GLB Act addresses privacy and security obligations of financial institutions, which are defined broadly as entities engaged in financial activities such as banking, lending, insurance, loan brokering and credit reporting.
The act governs two distinct types of protection for personal information: protection of security and protection of privacy. The security provisions require standards regarding appropriate physical, technical and procedural safeguards to ensure the security and confidentiality of customer records and information, and to protect against anticipated threats and unauthorized access to such information.
The FTC Safeguards Rule applies to a variety of financial institutions that are not subject to the GLB Act. Examples include nonbank mortgage lenders, loan brokers, tax preparers and debt collectors. The rule requires covered entities to develop a written information security plan that assigns employees to:
It also mandates a data security plan that accounts for each entity's particular circumstances, including size and complexity, the nature and scope of activities, and the sensitivity of customer information it handles.
The critical concept of PCI is to empower merchants with the information necessary to understand where security lapses may be present within their environments and afford them true guidance about necessary rules and regulations that must be applied to obtain data security objectives.
This is why it is imperative to emphasize the policies and procedures that will achieve PCI compliance for merchants and, thus, protection for both consumers and the overall system.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next