As credit card fraud continues to increase, the major credit card brands have reacted by introducing a new set of controls for enhancing payment security across the globe: the Payment Card Industry Data Security Standard (PCI DSS v1.1.).
Members, merchants and service providers must follow the requirements of the new standard in line with their contracts with the credit card companies.
The standard contains 12 requirements, which are intended to help organisations take active steps to protect their customer’s account information.
In order to fully comply with the standard, every organisation to which the standard applies must implement all of the controls and annually audit their effectiveness. As from 1 January 2007 all new certifications and re-certifications must be based on PCI DSS version 1.1.
Penalties for non-compliance are severe and could result in major embarrassment or damaged reputations. Offending companies can be barred from processing credit card transactions, higher processing fees can be applied and, in the event of a serious breach, fines of up to £250,000 can be levied for each instance of non-compliance.
The 12 requirements, which may be enhanced and updated as required by the PCI Security Standards Council as circumstances require, are as follows:
To build and maintain a secure network
Requirement 1: install and maintain a firewall configuration to protect cardholder data
Requirement 2: do not use vendor-supplied defaults for system passwords and another security parameters
Protect cardholder data Requirement 3: protect stored cardholder data
Requirement 4: encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
Requirement 5: use and regularly update anti-virus software
Requirement 6: develop and maintain secure systems and applications
Implement strong access control measures
Requirement 7: restrict access to cardholder data by business need-to-know
Requirement 8: assign a unique ID to each person with computer access
Requirement 9: restrict physical access to cardholder data
Regularly monitor and test networks Requirement 10: track and monitor all access to network resources and cardholder data
Requirement 11: regularly test security systems and processes
Maintain an information security policy
Requirement 12: maintain a policy that addresses information security
Further details can be found at www.pcisecuritystandards.org/tech/index.htm