Payment Card Industry - Data Security Standard

Payment Card Industry – Data Security Standard

The PCI DSS sets out requirements for monitoring and storage of credit/debit card information. There are four levels which Depend on the volume of card transactions being handled and businesses which handle large volumes of transactions are required to monitor very closely all access to the credit/debit card information stored on their systems. There will be an audit system set up and for large volume users it is estimated that a quarterly audit could cost around £10,000; the audit will be to ensure that they adhere to best practice. Smaller volume users will pay much less for an audit but it is not clear at the moment what this will be. The payment systems will cover transactions through on-line payments and Epos systems so it's up to retailers to make sure that their systems conform. Small Businesses are seen as being vulnerable and liable to picking up fines as the legislation and standards come into force on 30th June 2007.
 
The Security Standard has 12 requirements which cover the

• The Protection of Card holder data 
• Vulnerability Management 
• Network Security 
• Access Control 

The four levels of compliance are based on the volume of card transactions processed by a retailer and heavy fines could be levied on any retailer that experiences card theft if they have not complied with the new standards. Retailers should be aware that the data collected by their Epos (electronic point of sale) systems may compromised if for example it was on the end of a "permanently on" Internet Link which was not protected. Every Epos user should check with their payment gateway provider and ask for written confirmation that the link and system conforms to the new legislation and security requirements. This also apples to remote access Epos systems where the user is able to access the payment system over an Internet connection remotely; where this is the case the system must be protected to prevent unauthorised access to card data.
 
The 12 requirements of the standard

1. Install and maintain a firewall configuration to protect cardholder data 
2. Do not use default passwords 
3. Encrypt transmission of cardholder data across open public networks 
4. Use and regularly update anti-virus software 
5. Develop and maintain secure systems and applications 
6. Restrict access to cardholder data by business on a nee-to-know basis 
7. Assign a unique ID to each person with computer access 
8. Restrict physical access to cardholder data 
9. Track and monitor all access to network resources and cardholder data 
10. Test security systems and processes regularly 
11. Maintain a policy that addresses information security 

Source: PCI DSS