PCI: How It Affects the Merchant
Walk thru the entrance to any store today and you are very likely to encounter an Electronic Article Surveillance device. Designed to reduce loss through shrinkage, these devices have been accepted by today's merchant as a cost of doing business... As consumers they have become so commonplace we don't even notice them anymore. Unfortunately there is a new target for criminal activity today, and it can't be protected against with a simple scanner. The target is your identity. The Federal Trade Commission's National Resource on Identity Theft , 37% of all Consumer Complaints relate to Identity Theft. In 2005, 26% of those were tied to Credit Card Fraud. The table below illustrates the continuing growth in complaints tied to identity theft.
Growth in ID Theft Related Complaints
To fight back against this growing trend, the PCI Data Security Standards were created by major credit card companies to insure that consumer information, particularly cardholder data is protected. Visa, MasterCard, American Express, Discover and other credit card companies have created programs (i.e. Visa's CISP or Cardholder Information Security Program) mandating that merchants meet certain minimum requirements surrounding the management of cardholder data. Failure to comply can result in steep fines and penalties up to and including losing the ability to accept electronic payments.
Just as loss prevention scanners have been implemented to secure against physical loss, new steps need to be taken today to secure against identity theft. This document will eliminate some of the confusion surrounding the PCI Data Security Standard requirements and illustrate how ISD can help merchants not only meet compliance requirements but also implement a secure and flexible payment infrastructure.
Payment Industry Security Concerns
PCI Data Security Standard
While the complete Data Security Standard can be found on either the Visa or MasterCard website, listed below is what is known as the digital dozen. These are a high level summary of the merchant requirements for CISP or SDP qualification.
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored data
- Encrypt transmission of cardholder data and sensitive information across public networks
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
PCI Data Security Standard: Digital Dozen
Compliance Requirements
All merchants fall into one of four levels as defined by MasterCard and Visa. The requirements for these Merchant Levels changed on 18 May 2006, and may very well change again as the credit card companies continue to tighten the requirements. Specific details and updates can be found on their respective websites. The table below summarizes the four levels.
- Any merchant processing over 6,000,000 transactions per year
- Any merchant who has had a compromise related to electronic payments
- Any merchant that the credit card provider determines should meet these requirements
- Merchants accepting between 1,000,000 and 6,000,000 transactions per year
- Merchants accepting between 20,000 and 1,000,000 e-commerce transactions per year
- Merchants processing fewer than 20,000 e-commerce transactions per year
- All merchants processing up to 1,000,000 transactions per year
Cardholder Merchant Level Descriptions
Determining merchant levels is the responsibility of the acquiring bank. Based on the merchant level, different compliance validation requirements exist. The table below illustrates some of the validation requirements.
- Annual On-site PCI Assessment conducted by a qualified security assessor or internal audit if signed by an officer of the company
- Quarterly Network Scan conducted by an Approved Scanning Vendor
- 9/30/2004
- New Level 1 Merchants have up to 1 year from identification to validate
- Annual PCI Self-Assessment Questionnaire conducted by the Merchant
- Quarterly Network Scan conducted by an Approved Scanning Vendor
- New Level 2 Merchants have until 9/30/2007 to comply
- Annual PCI Self-Assessment Questionnaire conducted by the Merchant
- Quarterly Network Scan conducted by an Approved Scanning Vendor
- 6/30/2005
- Annual PCI Self-Assessment Questionnaire conducted by the Merchant
- Quarterly Network Scan conducted by an Approved Scanning Vendor
- Validation dates and requirements can be set by the merchant's acquirer.
Payment Application Best Practices
As discussed above, payment application vendors are required to meet PABP validation. This is to assure merchants that they are selecting a payment application which will help them meet their CISP or SDP validation requirements. The Payment Application Best Practices are described below.
- Do not retain full magnetic stripe or CVV2 data
- Protect Stored Data
- Provide Secure Password Features
- Log Application Activity
- Develop Secure Applications
- Protect Wireless Transmissions
- Test Applications to Address Vulnerabilities
- Facilitate Secure Network Implementation
- Cardholder Data Must Never Be Stored on a Server Connected to the Internet
- Facilitate Secure Remote Software Updates
- Facilitate Secure Remote Access to Application
- Encrypt Sensitive Traffic Over Public Networks
- Encrypt all non-Console Administrative Access
By insuring that payment application providers meet these requirements merchants can significantly simplify their PCI Data Security Standard compliance program.
What This Means To You
It's easy, at first glance to consider the PCI Data Security Standards as just one more complication for a merchant to deal with. Indeed, the credit card companies have provided the stick to ensure compliance. Upon further reflection however it becomes apparent that the "digital dozen" are really common sense guidelines that should have been in place all along. Implementing strong security measures with respect to their customers is one of the best steps a merchant can take to maintain strong customer loyalty. No one wants to find themselves on the front page of the newspaper for the wrong reason. ISD recommends that all merchants do the following:
- Determine from your processor what level your organization is according to the guidelines above
- Regardless of level, conduct an internal audit to determine areas of vulnerability
- Talk to your business partners, such as point-of-sale providers and acquirers regarding potential pitfalls in your current payment management practices.
- Consider the implementation of an enterprise payment management system such as the ISD Enterprise Transaction Framework to provide added security and control to your overall payment infrastructure.
How Can ISD Help?
ISD's Enterprise Transaction Framework meets and exceeds the PABP guidelines described above. Implementation of a payment switch such as the ISD Enterprise Transaction Framework can assist a merchant with legacy systems as well by removing the requirements for POS systems to store and manage credit card data. The ISD Enterprise Transaction Framework provides integrated interfaces to major POS systems, and easy to implement intelligent interfaces to in-house developed POS systems. These interfaces can offload PIN pad management, storage of authorization data, creation and management of electronic deposit file or settlement data as well as secure current and historical reporting. Further, the ISD Enterprise Transaction Switch serves as a technology buffer between the merchant and their processor, simplifying changes due to business or regulatory requirements of either the processor or point-of-sale environments.
ISD was one of the first payment application vendors to receive their PABP validation. Beyond merely providing a software application designed to meet these requirements, ISD has recognized the merchant need called for in these practices for a well designed and executed implementation as well. To that end, ISD provides expert Professional Services and Project Management with each implementation to assist the merchant in insuring a secure payment infrastructure.
For further information on how the ISD Enterprise Transaction Framework can help you meet PCI DSS requirements, contact an ISD representative today or email sales@isdcorporation.com.