PCI Hosting Compliance
With the expanded use of cloud computing in business and the explosion in the online use of credit cards in the past two decades, the security of sensitive financial information has become vitally important to companies conducting business over the internet. Massive data breaches at companies like Sony, TJX and Barnes and Noble and at credit card processors like Global Payments have potentially exposed millions of unsuspecting customers to unauthorized bank withdrawals, identity theft and criminal misuse of their credit cards. To combat the problem with a uniform approach, the five major credit card brands (MasterCard, American Express, Discover, Visa and JCB) formed the Payment Card Industry Security Standards Council (PCI) in 2004.

PCI Security Standards

The security standards adopted by PCI replaced the previous system in which each card brand administered its own security process, which required merchants who tried to comply with card security best practices to reconcile up to five different sets of recommendations. The PCI Security Standard has three primary compliance areas, the PCI Data Security Standard (DSS), the Payment Application Data Security Standard (PADSS), and the Personal Identification Number Transaction System (PTS). PADSS governs the physical use of credit cards in stores and restaurants and restricts the manner and types of data that merchants can retain. PTS prevents PIN numbers from being stored together with account information, which would potentially give thieves easy account access. PADSS and PTS provide individual cardholders with security against data theft when using their cards in physical locations. The DSS provides online merchants with secure ways to store the information of thousands of customers.

Compliance with the PCI Data Security Standard

The DSS has six control objectives for assuring data security. PCI DSS compliance requires building a secure network with a robust firewall and unique system passwords. Compliant data protection requires secure storage and permits the movement of sensitive data only after it has been encrypted. Compliant data centers must deploy a vulnerability management program to safeguard their systems and applications against viruses and malware. Cardholder data access must be restricted by allowing it only on a business need-to-know basis, but requiring unique IDs for each user, and by tightly controlling physical access to data. DSS compliance requires regular testing and monitoring of access and user accounts. Finally, data centers must maintain a dynamically reviewed and updated security policy. A subsequent policy addition gives data centers guidelines for wireless network deployments that are DSS-compliant. The PCI Compliance Guide is a good place to get more information about the PCI data security standard.

Why Compliance is Important

Compliance with the PCI DSS standard is required by the five card brands for both merchants and for PCI hosting companies. Compliance must be formally validated by an independent third party assessor for everyone except the smallest merchants, who must implement the procedures nevertheless. Assessors certify that the conditions were met, but it is the responsibility of the certified company to maintain compliance between inspections. PCI says that the goal is not compliance, it is security, and notes that in each case of a major breach the targeted company was not in compliance at the time of the incident.

Certified compliance is obviously important because the damage to the reputation of merchants who suffer data breaches because a catastrophic loss of business may result. Additionally, the card brands may levy fines and require the breached company to cover the cost the banks incur to reissue cards. The government may also investigate to establish that the stolen credit card information is not being used to finance terrorism or organized crime, a situation which may require 20 years of comprehensive audits. The potential costs of a breach make it critical that merchants select ecommerce partners who adhere to the highest standards of DSS compliance.

Ecommerce has opened up a global pool of potential customers for merchants, but the downside has been a proliferation of hackers and cyber-thieves. Following the safety precautions laid out by PCI will reduce the risks and allow secure transactions over the internet.

Photo by Purple Slog on Flickr