By Nicholas Cucci
Network Merchants Inc.
The protection of financial data linked to payment cards and online accounts has been increasingly scrutinized both by the financial industry and federal regulators. ISOs, merchant level salespeople (MLSs) and merchants must recognize that data breaches can happen to any organization. If you collect or store sensitive information, you are at risk. Understanding the Payment Card Industry (PCI) Data Security Standard (DSS) will help you avoid costly breaches and regulatory fines.
Several large-scale data thefts occurred in 2011, alarming merchants and cardholders alike. Here are the incidents receiving the most attention.
Data breaches affect everyone, including acquiring banks, processors, ISOs, MLSs, value-added resellers, merchants and consumers.
The PCI DSS is extremely important to the industry. Why is PCI compliance so crucial? If you're a merchant or ISO who processes, stores or transmits card data, you must be compliant with the PCI DSS and applicable related standards. Failure to comply can result in serious consequences, including expensive fees from merchant banks and the loss of the ability to process credit cards. Remaining noncompliant can be devastating.
Merchants are responsible for finding service providers that are PCI DSS compliant. Service providers must offer their merchants safe and reliable solutions and maintain PCI compliance. Also, merchants must realize they are not simply partnering with compliant service providers. Businesses may be required to change the way they operate to become PCI compliant. Failure to do so, when necessary, can cost a company more fees and fines. Some notable requirements include maintaining:
The PCI standards are absolutely crucial in protecting consumers from theft by fraudsters. The PCI DSS limits access to cardholder data to minimize the risk of sensitive data being stolen. It focuses on protecting cardholder data, including how it is transmitted and stored.
Business owners who need to store cardholder information are obliged to protect that data. They must restrict access to cardholder data based on business needs, making sure that absolutely no one can access the data unless sufficient safeguards are in place. When cardholder data is stored, it must be encrypted and masked so that if someone does obtain unauthorized access, he or she will not be able to use the data without a decryption key, which unauthorized users should not possess.
Control measures are an important part of maintaining secure business practices. The human element is the hardest part to control. Access to sensitive data should be limited to people who have a business case for access. Not only should a limited number of people be able to access sensitive information, but also each person must have a unique ID to be able to view the information. The company also must maintain a full audit trail.
Maintaining a vulnerability-management program is also crucial. This is straightforward and involves keeping anti-virus software up to date and running frequent scans. Always making sure you have the latest software version and performing regular vulnerability scans will help maintain your network's security.
The first steps in becoming compliant with PCI are meeting the requirements just described. Following is a final overview of milestones for prioritizing PCI DSS compliance efforts, drawn from the PCI Security Standards Council's website, www.pcisecuritystandards.org.
Understanding how to implement and maintain secure systems according to the standards set by the PCI SSC is a solid first step toward securing your company's future.
Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at email@example.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next