Mousa Iskandar
IN today’s world, using credit card is a fact of life. Credit card that we use quite often carries important information that if compromised during the use could cause damage to cardholders, merchants as well as the brands. The credit card carries cardholder data that include the full Primary Account Number (PAN), cardholder name, expiration and service code. Also includes authentication data on the magnetic stripe.
In this era of data-centric living a single breach could throw many people’s lives awry. Compromised data, if it falls into wrong hands, could wreak havoc, as it did recently in 2013.
One of the major data breach happened to Target Discount Retail Store. As many as 70 million customers’ credit cards were stolen. The credit cards theft happened between Nov. 27 and Dec. 15, 2013. The stolen information had customer names, credit cards or debit card number, the card’s expiration date and CVV (card verification value) as well as customer information. This included names, mailing addresses, phone numbers and mail address.
As a result, Target sales dropped and also its share earnings. Also, for the customer, this has increased the possibility of identity theft. Once an identity is stolen, the thief can do a lot of things that would be detrimental to the customer. Among other things, the thief can get new credit card in your name and access your bank accounts.
In 2004, the major credit card brands (Discover, American Express, MasterCard, Visa and JCB) formed the Payment Card Industry Security Standards Council (PCI SSC) to facilitate the development of standards to become as a common set of minimum-security requirements to be implemented by all merchants and service providers that process, store or transmit credit cards information. In June 2005, the PCI SSC announced Payment Card Industry Data Security Standard (PCI DSS) protocol and it went into effect soon.
PCI SSC manages three different standards: the first standard covers everything from the physical security to logical security. Second covers Payment Application Data Standard (PADSS). There are thousands of PADSS compliant applications listed on the PCI DSS website where merchants can buy any off the shelf. The last standard is the PIN Transaction System (PTS). PCI SSC certifies all devices that process credit card PIN number.
PCI applies to every company that accepts credit card this includes retail point-of-sale services and mail/phone order. If your company accepts credit cards as payment for goods or services, then you should be aware of the Payment Card Industry (PCI) data security standards (DSS). These standards were created to protect the credit card information of all consumers.
The awareness should be made clear both to the consumer and the company such that data security is enhanced while reducing the chances of identity theft or a security breach.
There are many benefits for your credit card processing system when it becomes compliant with PCI DSS. The benefit of deploying PCI DSS is you get peace of mind. Knowing that your organization has done everything it can to ensure the safety and security of the customers’ payment card data and the deployed standards has been developed thoroughly.
The second benefit of PCI DSS compliance is good customer relationship. Customer will be more comfortable dealing with merchants that are PCI DSS certified because they knew that their credit card information are protected. Improved relationship with customer more often translate into more profits.
Another benefit to PCI DSS compliance is that it becomes an integral part of any vulnerability management plan. Being PCI DSS compliant will drastically reduce the non-compliance findings when performing penetration testing and vulnerability scanning and that in turn will reduce the cost.
Since this protocol is the de-facto standard protocol around the world, it will be easier on other international organization to deal with your organization if you are PCI DSS compliant. In addition, when an organization branches internationally where PCI DSS is mandatory, then this will influence all the company’s activities that are related to credit card processing to be PCI DSS compliant
Meeting PCI security requirements is very important to you if your business accepts credit cards for goods or services. Even though PCI is not, in itself, a law. However, PCI DSS is mandatory to all. Nothing is voluntary.
More than 80 percent of data stolen in breaches is payment card data, according to the 2009 Verizon Business Data Breach Report. The biggest challenge for the industry is education. Some of the small businesses don’t know that they are responsible to be PCI compliant.
PCI SSC states that if you handle credit card information you must be compliant with PCI standards. That is a global rule. Merchants that do not comply with PCI DSS may be subject to fine, costly forensic audits, etc., should a breach event occur.
The PCI DSS is a set of 12 specific requirements that cover six different goals. It covers what to secure and how to become secure
PCI DSS: Goals
1. Build and maintain a secure network
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy
PCI DSS: 12 specific requirements
1. Install and maintain a firewall configuration to
protect cardholder data
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across
open, public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and
applications
7. Restrict access to cardholder data by business
need-to-know
8. Assign a unique ID to each person with computer
access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources
and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security