Protect yourself from a cardholder data security breach...
Few things are as devastating for your business as a violation of cardholder data security. As a merchant, the consequences of such a breach fall on your shoulders. If a breach occurs, you could face substantial fines and the loss of your credit card processing services. You can protect yourself, your business and your customers by understanding the rules and regulations for security.
The major card issuers, Visa, MasterCard, American Express, Diner’s Club, Discover and JCB, collaborated to create a new set of standards called the PCI DSS (Payment Card Industry Data Security Standards). It is now required that all merchants and service providers that handle, transmit, store or process information concerning any of these companies’ cards, or related card data, be compliant with these standards. If a merchant is not compliant, they may face monetary penalties and/or have their card processing privileges terminated by the credit card associations.
The primary purpose of PCI is to require organizations to embrace common security controls to protect credit card data and reduce fraud and theft. The following chart illustrates the six primary goals of PCI DSS, comprised of 12 specific requirements of the PCI DSS:
| The "Digital Dozen" PCI DSS Requirements - Six Goals, Twelve Requirements |
| Goal |
Requirement |
Result/Benefit |
| Build and Maintain a Secure Network |
1. Install and maintain a firewall configuration to protect cardholder data |
This will help to protect cardholder data from unauthorized access. |
| 2. Do not use vendor-supplied defaults for system passwords and other security parameters |
This will help prevent hackers from easily compromising your systems |
| Protect Cardholder Data |
3. Protect stored data |
Cardholder data that is stored electronically must by masked or encrypted. Physically secure paper copies that contain cardholder data such as receipts and reports. |
| 4. Encrypt transmission of cardholder data across open, public networks |
This will help to prevent cardholder data from being compromised when being sent over the public networks such as the Internet and wireless communications. |
| Maintain a Vulnerability Management Program |
5. Use and regularly update anti-virus software |
Installing anti-virus and spyware software will help protect systems from malicious software. |
| 6. Develop and maintain secure systems and applications |
Installing the most recent software security patches will help prevent systems from being exploited. |
| Implement Strong Access Control Measures |
7. Restrict access to cardholder data by business need-to-know |
Ensuring that cardholder data can only be accessed by authorized personnel will help to reduce the risk of a compromise. |
| 8. Assign a unique ID to each person with computer access |
This will help to ensure that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. |
| 9. Restrict physical access to cardholder data |
Limiting an individual's ability to remove systems or hardcopies will help to secure cardholder data. |
| Regularly Monitor and Test Networks |
10. Track and monitor all access to network resources and cardholder data |
Logging all access to cardholder data will allow for information to be analyzed in the event of a security breach. |
| 11. Regularly test security systems and processes |
Regular testing will help to protect your system against possible vulnerabilities. |
| Maintain Information |
12. Maintain a policy that addresses information security |
All employees and service providers should be made aware of the sensitivity of cardholder data and their responsibility to protect it. |
Does my business need to comply with the PCI DSS?
Absolutely. All entities that store, process, or transmit credit card account information are required to comply with the PCI DSS. However, validation requirements vary depending on your merchant level. See www.monerisusa.com/pcisecurity, and the attached links for details.
How can I ensure that I am compliant with PCI DSS?
You can count on Moneris to help you find what you need to know about complying with this important security standard. To obtain more information about PCI DSS and the Card Association compliance programs please visit www.monerisusa.com/pcisecurity, and the links below.
Remember, cardholder data security is your responsibility. Meeting the requirements of the PCI DSS will give you and your customers a feeling of security, and help you avoid the damaging consequences of a security breach.
Links
The PCI DSS is governed by an independent body, the PCI Security Standards Council™ (PCI SCC). For more information on the council, please visit: