Payment Card Industry Data Security Standards. The Card Associations are concerned about cardholder information getting into the wrong hands for illegal use. Therefore, the Card Associations have adopted the PCI Standards to better secure cardholder information. What is PCI & PCIDSS.
PCI helps protect the merchant business from:
The credit card brands have made PCI compliance mandatory for merchants.
PCI Data Security Standards Defined by the Card Associations Require Merchants to:
Build and maintain a secure network.
Protect cardholder data.
Maintain a Vulnerability Management Program.
Implement strong access control measures.
Regularly monitor and test networks.
Maintain an information security policy.
Must comply & pass third party audits
Level 1 – Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transaction per year.
Any merchant that has suffered a hack or an attack that resulted in an account data compromise.
Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system
Any merchant identified by any other payment card brand as level 1.
Level 2 –Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
eCommerce merchants (1m trans/yr – 6M trans/yr)
Required to comply
Level 3 – Any Merchant processing 20,000 to 1,000,000 Visa e-commerce transaction per year.
Level 4 –All other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year. And all merchant processing fewer than 20,000 Visa e-commerce transactions per year,
Level of compliance is determined by merchant’s size
Large Retail Merchants
(Wal-Mart, Target, etc)
All merchants (regardless of size) are subject to annual audits and quarterly scans if they have a compromised data situation.
*The PCI DDS requires that all merchants perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.
Merchant’s software can never store the CVV data
Potential Cost to a Merchant for a Compromise
.Credit Firms Push to Thwart Fraud
The article goes on to describe the various issues the credit card industry faces regarding data security and how it plans to deal with them in the coming months and years. The fact is that although the credit card companies are starting their efforts to enforce PCIDSS standards with the big retailers, it is the small and mid sized businesses like yours that are the easiest and most lucrative targets for cyber criminals.
Cases By Industry
SpiderLabs data is gathered from more than 140 card compromise cases.
Food Service Industry represents the majority of the compromises.
Cases by Card Acceptance
About 4 out of every 5 cases is a traditional Brick and Mortar environment.
Card Present Merchants are not aware of these risks!
Cases By System Type
Majority of the cases involved a compromise of a Software based POS system.
None of these systems were Visa PABP or PCI DSS compliant.
Cases By Connectivity
All Internet connectivity should be considered high risk.
SpiderLabs has tracked a trend in migration from T1 and Dial-Up to DSL/Cable.
Merchant Error vs. 3rd Party Error
Half of the compromises were caused by a fault in the service provided by a 3rd party to a Merchant.
POS Developers, Integrators, IT Firms are not following PCI DSS and leaving Merchants at Risk!
Brick and Mortar Cases w/ Track Data Storage
Track Data storage is never permitted in any environment post authorization.
Non-Compliant software packages are storing Track Data and the Merchants did not know until it was too late!
Most Common “Not In-Place”
Requirement 1:Install and maintain a firewall to protect data
Requirement 3:Protect stored data
Requirement 6:Develop and maintain secure systems and applications
Requirement 8:Assign a unique ID to each person with computer access
Requirement 10:Track and monitor all access to network and card data
Requirement 11:Regularly test security systems and processes
Top 10 Reasons/Methods of Compromise
Profile of the Merchant w/ Greatest Compromise Potential
Payment Acceptance:Card Present
System Type:Non-Compliant Software POS
Connectivity:DSL or Cable Modem