PCI / CISP Compliance
Background : Core Elements : Non-Compliance Risks : Warning Signs : Ongoing Changes : Next Steps : Further Reading : Self-Assessment
Background
In a world where identity theft is on the rise, capturing/stealing cardholder data has become rampant. At the same time, from what we understand, the pressure associated with Visa going public may require that they need to adjust their policies to meet public/shareholder demands. If you have been reading the news, we’ve seen many businesses “lose” sensitive customer data as if they’ve accidentally stopped trying to uphold their responsibility to the privacy of their customers. Meanwhile, the proliferation of Internet into homes and businesses, as well as wireless Internet access locations has added a new, electronic opportunity to capture data.
Terms:
ADCR= (Account Data Compromise Recovery)
AIS = (Account Information Security) - Visa sponsored
ASV= (Approved Scanning Vendor)
CAMS= (Compromised Account Management System) - Visa clearinghouse for reporting
compromised/stolen/recovered account data and receiving alerts about risky
account numbers.
CISP = (Cardholder Information Security Program) - Visa
sponsored
CVV= (Card Verification Value, a.k.a. Card Security Code)
DSOP= (Data Security Operating Policy) - American Express
DSS = (Data Security Standard)
QSA= (Qualified Scanning Assessor)
PABP= (Payment Application Best Practices)
PAN= (Primary Account Number)
PED= (Pin Entry Devices)
PCI = (Payment Card Industry)
PTS= (Point of Sale Terminal Security)
SAQ= (Self-Assessment Questionnaire)
SDP = (Site Data Protection) - the MasterCard program
SSC= (Security Standards Council)
VPA= (Validated Payment Applications) - a.k.a. Approved POS
versions
The PCI (Payment Card Industry) is very serious about preventing the electronic and paper theft of cardholder data. Accomplishing this task is exactly what is necessary for compliance. Forget the checklists; if you are properly protecting the cardholder data then you are probably adhering to almost all of the PCI DSS (Payment Card Industry Data Security Standard) requirements. If there are some requirements that don’t fit your business model, hopefully you are leveraging other controls, which are known as “compensating controls” to ultimately achieve protection of cardholder data.
If you are not protecting cardholder
data then you are not adhering to PCI DSS compliance.
It’s that simple!
Additionally, it might be helpful to understand the following, from one of the organizations that is writing the standards:
What is the Payment Card Industry (PCI) Data Security Standard
(DSS)?
The PCI Data
Security Standard represents a common set of industry tools and measurements to
help ensure the safe handling of sensitive information. Initially created by
aligning Visa's Account Information Security (AIS)/Cardholder Information
Security (CISP) programs with MasterCard's Site Data Protection (SDP) program,
the standard provides an actionable framework for developing a robust account
data security process - including preventing, detecting and reacting to
security incidents.
What are the requirements that have
to be satisfied to be in compliance with the PCI Data Security Standard?
The PCI Data Security Standard is a multifaceted security
standard that includes requirements for security management, policies,
procedures, network architecture, software design and other critical protective
measures.
The PCI Data Security Standard is
comprised of 12 general requirements designed to:
Build and maintain a secure network;
Protect cardholder data;
Ensure the maintenance of vulnerability
management programs;
Implement strong access control
measures;
Regularly monitor and test networks;
and
Ensure the maintenance of information
security policies.
Where can I get more information
about the exact requirements needed to be PCI DSS compliant?
The PCI DSS standard and all supporting documentation can
be found on www.pcisecuritystandards.org.
Gathered from
<https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml>
Once you’ve determined which merchant level you are currently rated at, based upon the number of e-commerce and/or actual credit card transactions, you can determine what’s involved with Fines/ Non-Compliance risks. For the sake of this discussion, let’s suggest that most of the businesses we will interface with fall into the “Level 4” category for Visa. MasterCard & American Express also define levels, based upon criteria of their own.
Another article describes this definition well:
Since
Visa has been reporting significantly higher
compliance levels among Level 1-2 merchants, it is important to focus on
the smaller merchant community. I was discussing this with a friend who asked,
“What is a Level 4 merchant?” This is a very good question because it shows
that some merchants do not understand the merchant level hierarchy and the
associated reporting procedures.
The definition
of a Level 4 merchant may vary depending on your geographic location and card
acceptance type. For example the Canadian arm of Visa Inc. previously defined Levels 4a and 4b, but now seem to have a nearly synonymous definition for Level 4 merchants. From what we understand, the other Visa regions (with the exception of
Latin American and the
·
Any merchant processing less than 20,000 Visa
e-commerce transactions per year, or
·
Any merchant processing less than 1,000,000 Visa
transactions from any other acceptance channel (i.e. in-store POS) per year
What
does this mean?
Well, it simply tells you
where you fall in the grand scheme of PCI DSS compliance. Remember that
although compliance of the Level 4 community is mostly optional and managed by
the acquiring bank or transaction processor, that all merchants regardless
of level definition must be compliant.
Level
4 merchants should look to their point of sale (POS) system and make sure that
it is in compliance with the PABP; however, a new definition now suggests that payment applications must adhere to the PCI-DSS security requirements. If you want more information on validating your
compliance, then take a look at the latest self-assessment questionnaire
released by the PCI Security Standards Council.
Originally gathered from <http://pcianswers.com/>
Sotapop Consulting
PO Box 192061
(415) 647-0550 office
(650) 996-6241 cell
support@sotapop.org