The Payment Card Industry (PCI) Association mandates the use of the PCI Data Security Standard (DSS) as the audit standard that must be followed to demonstrate compliance with their security requirements. Any organisation wanting to accept credit cards as a form of payment is required to contractually agree to comply with this standard and failure to comply can result in a variety of fines and, potentially, the loss of the right to accept credit cards at all.
Costs arising from a credit card data security breach are made up several elements including investigative computer forensic costs, recovery costs and fines upto $500k. TJX, the American retail giant, set aside $118m to cover costs and potential liability arising from a security breach to its database systems in which 45.6m credit and debit card records were stolen between July 2005 and January 2007.
The PCI Security Standards Council (SSC) was launched on September 7th, 2006. The founding brands that are a part of the PCI SSC include the leading brands here in the UK such as Visa International and MasterCard Worldwide. The standard has 12 security high-level security requirements which cover nearly 200 specified controls, both management controls and technical controls. The range of business processes involved and supporting system infrastructures include both credit card front-office processes such as Telesales and back-office post payment authorisation and collection processes.
The standard applies to all businesses that Process, Store or Transmit card payment data regardless of the monetary value and the total number of transactions taken. Fundamentally Visa and MasterCard are made up of Acquirers who have the business relationship with the merchants (businesses). Merchants are responsible for demonstrating compliance to the standard to the acquirer typically a bank on a yearly basis.
Whilst compliance to all 12 requirements is mandatory PCI doesn’t introduce any new, alien controls to secure confidential and sensitive information. Protection is less expensive than recovery (£159 per account) from a data breach by a factor of 18 (source RSA).
Vistorm offers a range of PCI DSS services to help organisations become and remain compliant
- Orientation and Discovery
- Business and IT Contexts
- Key Requirements of the Standard and alignment of Ownership
- Data Analysis
- Outline Plan / Next Steps for achieving compliance
- Scoping Study
- Business Processes and Data Flows
- Supporting IT Assets (Applications and Infrastructure)
- Options to remove / redesign processes and systems to reduce scope
- Outline Plan / Next Steps
- Gap Analysis
- Interview Schedule and Documentation Requirements
- Testing Approach
- Control Sample Results
- Consolidated Findings and Recommendations
- Remediation
- Design Requirements
- Evaluation of Options and Implementation Plan
- Installation and Testing / Handover
- Validation Management
- Review Gap Analysis and Remediation Programme
- Review Scanning Test Results and Re-Tests
- Perform Validation
- Summary of Findings Letter
