Topic of the month
PCI Overview
Barry Johnson - February 08, 2006 |
| Categories |
 |
| Threat Mitigation |
| Uncategorized |
 |
|
| Past articles |
|
| Not Just Disclosure Any More - February 23, 2006 |
| Social Engineering - February 22, 2006 |
| Data Security Standards Authenication Requirements - February 08, 2006 |
| PCI Overview - February 08, 2006 |
| A Case for Encryption - November 17, 2005 |
|
| ||||||||||
 See demos | ||||||||||
| ||||||||||
| ||||||||||
| ||||||||||
To see these demos you need the Flash Player installed, Page 1/1
PCI Overview
Over the past six-months, igxglobal has made successful steps to become one of a limited number of vendors capable of providing assessments according to the Payment Card Industry (PCI) Data Security Standard. The PCI standards are supported and recognized by all PCI members (Visa, Mastercard, American Express, Discover, and JCB). The standard is intended to protect cardholder data—wherever it resides—ensuring that members, merchants, and service providers maintain the highest information security standard.
Compliance is required of all merchants and service providers that store, process, or transmit cardholder data. The standard applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. The PCI Data Security Standard provides the tools and measurements needed to protect against cardholder data exposure and compromise across the entire payment industry. The PCI Data Security Standard consists of twelve basic requirements supported by more detailed sub-requirements:
PCI Data Security Standard | |
Build and Maintain a Secure Network |
|
Protect Cardholder Data |
|
Maintain a Vulnerability Management Program |
|
Implement Strong Access Control Measures |
|
Regularly Monitor and Test Networks |
|
Maintain an Information Security Policy |
|
Compliance validation
Separate and distinct from the mandate to comply with PCI requirements is the validation of compliance. It is a fundamental and critical function that identifies and corrects vulnerabilities, and protects customers by ensuring that appropriate levels of cardholder information security are maintained.
Members (Issuers and Acquirers, i.e. Financial Institutions like Citigroup, Bank of America, etc…) must comply with PCI and are responsible for ensuring the PCI compliance of their merchants, service providers, and their merchants' service providers. Although there may not be a direct contractual relationship between merchant service providers and acquiring members, all members remain responsible for any liability that may occur as a result of PCI non-compliance. Acquirers must include a PCI compliance provision in all contracts with merchants and Nonmember agents.
CISP compliance penalties
If a member, merchant or service provider does not comply with the security requirements or fails to rectify a security issue, the following penalties may be imposed:
· Fine the responsible member
· Impose restrictions on the merchant or its agent
Members receive protection from fines for merchants or service providers that have been compromised but found to be PCI-compliant at the time of the security breach. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not PCI-compliant at the time of the incident. Furthermore, the faulty party is responsible for forensic costs, card re-issuance costs, and the monitoring of affect consumers’ credit for a year.
Loss or theft of account information
A member or the member's service provider, or a merchant or the merchant's service provider must immediately report the suspected or confirmed loss or theft of any material or records that contain cardholder data.
If a member knows or suspects a security breach with a merchant or service provider, the member must take immediate action to investigate the incident and limit the exposure of cardholder data.
If a member fails to immediately notify the appropriate Card Fraud Control group of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident.
Additional fines may be levied for exceptional circumstances where the violation presents immediate and substantial risks to Visa and its members.
As was previously stated, igxglobal, Inc. has made taken the necessary steps to successfully become an approved PCI DSS assessor. These steps will place upon a short list of vendors and be presented by Visa/Mastercard to their member banks (Issuers/Acquirers). In turn, these members will require, through contractual agreements, their merchants to perform an assessment in order to meet PCI requirements and provide these merchants with this list. Merchants are anyone who accepts credit cards for payment. For example:
· Hospitals – in their gift shops, pharmacies, billing, etc….
· Colleges – in their book stores, alum stores, accounts payable, etc….
· Doctors offices – for service payments
· Online Retailers
· Restaurants
· Book stores
The list can go on an on. The key for us is to know who to speak with in these organizations as in many cases it may not be the compliance officer (as they are worried about federal and state laws as a hospital would be). In some cases, they may not even know they have to adhere to these standards. We have to be smart and ask the right questions so we can talk to the right people and in some cases educated them along the way. Some of the most immediate questions we can ask are:
· Do you accept Credit cards for any form of payment?
· Who maintains the systems that accept credit card data?
· Are you aware that these systems must meet certain security standards as laid out by the Payment Card Industry which is comprised of Visa/MasterCard/Amex/Discover etc…?
More Articles › | Page 1/1
Copyright © 2004 Ihavebeenhacked.com. All rights reserved. Privacy Statement
Designed by
