GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Bring the 'ATM-O-Matic' to a retailer near you



APEX awards: The Green Sheet's lucky seven

Welcome aboard GSTravelAdvice

Meet the new, nimble Hypercom


GS Advisory Board:
Value-adds: Recipe for success? Part II

PCI standards weigh on ATMs

Gary Wollenhaupt

Industry Leader

Gerry Wagner –
Discovering new opportunities


Merchant cash advance companies on the offensive

Patti Murphy
The Takoma Group

A pandemic is sweeping POS terminals: Are you ready?

Biff Matthews
CardWare International


Street SmartsSM:
Lust for the lodging market

Dee Karawadra
Impact PaySystem

Data security sells

Aaron Bills
3Delta Systems

The all-time dirtiest processor tricks

Adam Atlas
Attorney at Law

Are you business-suicidal?

Paul E. Donihue
Advanced Merchant Services Inc.

PCI: Eye to eye with federal law

Ross Federgreen

Out-of-sight Outlook tricks

Joel and Rachael Rydbeck
Nubrek Inc.

Company Profile

Gravity Payments

New Products

Ringing in a smart idea

IPS Express- Mobile Payments
Payment Data Systems Inc.

Where oh where are your consumers?

First Atlantic Commerce

Outsource the chargeback confusion

ChargebackAudit LLC
Chargeback Dispute Management System


If the shoe fits, bear it


Resource Guide


A Bigger Thing

The Green Sheet Online Edition

July 23, 2007  •  Issue 07:07:02

previous next

PCI: Eye to eye with federal law

By Ross Federgreen

The Payment Card Industry (PCI) Data Security Standard is consistent with broad-based federal legislation dating back to the early 1990s. It is essential that you, as ISOs and merchant level salespeople, have basic knowledge of these laws so you can offer greater value to your customers.

The majority of merchants believe PCI does not affect them, is unfair, unenforceable, unnecessary and without merit. Also, those who recognize the importance of PCI and have attempted to become compliant have been given much erroneous information.

Take penetration scans, for example, which many mistakenly believe satisfy PCI compliance. In truth, penetration scans, while important, constitute neither the core nor the majority of PCI requirements.

Penetration scans are a minor PCI component that do not and will not prevent the majority of breaches, which are local in nature. By local breaches, I mean at merchants' facilities and perpetrated by employees or other parties in trusted relationships.

Legislation on the books

A significant number of major federal laws overlap with PCI. The emphasis in all of these is on appropriate procedure and policy to protect data integrity. The relevant acts include the:

Acts in the wings

Additionally, there is ongoing legislative activity in these areas both on the federal and state level. The most important piece of pending federal legislation is the 2007 Privacy and Data Security Act. On the state level, there has been much activity since the TJX Companies Inc. breach, placing additional regulatory and financial burdens on merchants.

A compelling concept voiced in the Privacy and Data Security Act of 2007 is the notion of "safe harbor" for compliance. Although the application of this to individual merchants is not clear, it is being offered in a carrot and stick fashion.

Regulations in motion

Three of the security statutes that have wide application are the HIPAA Title II, GLB Act Title V and FTC Safeguards Rule. A brief synopsis of each follows:

HIPAA Title II, Security Rule

According to the Federal Register, HIPAA Title II affects up to four million entities. This includes everything from major medical centers to individual medical offices of every type.

Many of these facilities now accept credit cards, and the list is growing. Careful analysis of the requirements of HIPAA Title II reveals much overlap with PCI.

HIPAA Title II's final security compliance date for all entities covered by the act was April 2006.

HIPAA has potential to cause far-reaching impact on enterprises in unrelated industries such as banking, accounting and financial services. This originates with HIPAA's provision governing the "business associates" of health care organizations.

The final security rule is divided into three broad categories of safeguards: administrative, physical and technical. It contains 42 security specifications.

The rule addresses the security posture needed to support the HIPAA Title I, Privacy Rule. The 42 security specifications are divided into those that are addressable and those that are required.

Addressable rules must be implemented based upon specific characteristics of a given entity. Required rules must be implemented by all covered entities. Required security specifications that overlap with PCI include:

Almost every required security issue listed in HIPAA Title II is associated with specific areas within PCI.The "rule book" for implementation of HIPAA Title II is Medicare & Medicaid Services (CMS) Business Partners Systems Security Manual, Rev. 8, published April 6, 2007. The manual is 532 pages.


The GLB Act addresses privacy and security obligations of financial institutions, which are defined broadly as entities engaged in financial activities such as banking, lending, insurance, loan brokering and credit reporting.

The act governs two distinct types of protection for personal information: protection of security and protection of privacy. The security provisions require standards regarding appropriate physical, technical and procedural safeguards to ensure the security and confidentiality of customer records and information, and to protect against anticipated threats and unauthorized access to such information.

FTC Safeguards Rule

The FTC Safeguards Rule applies to a variety of financial institutions that are not subject to the GLB Act. Examples include nonbank mortgage lenders, loan brokers, tax preparers and debt collectors. The rule requires covered entities to develop a written information security plan that assigns employees to:

It also mandates a data security plan that accounts for each entity's particular circumstances, including size and complexity, the nature and scope of activities, and the sensitivity of customer information it handles.

The critical concept of PCI is to empower merchants with the information necessary to understand where security lapses may be present within their environments and afford them true guidance about necessary rules and regulations that must be applied to obtain data security objectives.

This is why it is imperative to emphasize the policies and procedures that will achieve PCI compliance for merchants and, thus, protection for both consumers and the overall system.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios