ARTICLE...

What is PCI-DSS?

With more and more personal data being used every day, people are becoming all too aware of the need for improved security – and for caution in giving out 'sensitive information'.

This is a particular worry for anyone handing over their credit card details – something of a must in today's 'cardholder-not-present' online environment.

The Payment Card Industry Data Security Standard (PCI-DSS) was created as VISA, MasterCard, Amex, Diners and JCB had their own standards, which only served to muddy the waters. Regulated by the PCI Council, this scheme harmonised efforts and put a minimum set of requirements in place to protect a cardholder's information.

These must be adhered to by every organisation that transmits, processes or stores payment card data. PCI-DSS isn't yet law, but is an obligation enforced by payment schemes, through the acquiring banks, by means of fines or other restrictions.

The data security standard is based on a principles and requirements as outlined below:

Build and maintain a secure network
Protect cardholder data
Maintain a vulnerability management programme
Implement strong access-control measures
Regularly monitor and test networks
Maintain an information security policy

All creditors, collectors and service providers who store, process or transmit cardholder data are required to comply with these areas and the sections around them as a minimum standard.

Today non-compliance with this standard can put a company taking card payments out of business. Following a number of serious security breaches over the last few years the schemes, and particularly the acquiring banks, have begun to make compliance to PCI-DSS a condition of doing business.

For debt collection agencies, in particular, this can be a big undertaking in terms of the cost of implementing a compliant solution, the impacts operationally and the ongoing management of compliance to the standard.

Third parties involved in PCI compliance:
Qualified security assessors (QSA) are companies which have been approved by the PCI Council to conduct PCI-DSS on-site assessments.

In simple terms, the QSA will come on site once per year and audit the company's people, processes and technology against every requirement in the PCI-DSS standard (approximately 230 standards). They will also create and submit a report on compliance (ROC) to the PCI Council once the audit has taken place.

The report will be reviewed and a decision made regarding the business's suitability for compliance. A certificate will be issued where successful and the process must be repeated annually to include any new additions to the standards.

ASVs:
Approved scanning vendors (ASV) are approved by the PCI Council to conduct external vulnerability scanning services. In simple terms, the ASV will assess the vulnerability of your systems, procedures and policies by carrying out a 'vulnerability scan'. This needs to be carried out at least once per quarter.

Acquiring banks:
The acquiring banks have the responsibility of ensuring that any business taking card payments is adhering to PCI security standard.

Should the PCI Council be made aware of any business operating in a non-compliant manner, they have the ability to impose fines on the acquirer responsible.

By the same token, the acquiring bank is able to impose fines on the creditor or collections agency in question and remove their merchant-services agreement, therefore preventing them from taking payments.

Am I compliant?:
The PCI self-assessment questionnaire (SAQ) will assist a business in understanding the level of compliance that they must adhere to.

There are different levels of compliance and these are based on certain criteria which include the annual number of credit or debit card transactions, validation requirement level as determined by the merchant's acquiring bank and channels through which a merchant processes payments and the security around these.

For each level, there are criteria and validation. These are the core standards which must be met - and the details of what must be done to satisfactorily meet those standards - and are outlined below:

Level 1 criteria – creditors and collections agencies with over 6 million transactions a year, or whose data has previously been compromised.

Level 1 validation requirements – annual on-site security audit, reviewed by a QSA or internal audit if signed by an officer of the creditor and collections agency and pre-approved by acquirer, and quarterly network security scan.

Level 2 criteria – creditors and collections agencies with 1 million to 6 million transactions per year.

Level 2 validation requirements – annual self-assessment questionnaire and a quarterly scan by an ASV.

Level 3 criteria – creditors and collections agencies with less than 20,000 transactions per year.

Level 3 validation requirements – quarterly scan by an ASV annual self-assessment questionnaire.

Level 4 criteria – creditors and collections agencies with less than 20,000 transactions per year.

Level 4 validation requirements – annual SAQ. A quarterly scan by an ASV may be recommended or required, depending on acquirer compliance criteria.

It is important to understand that, if any business has breach of cardholder data, regardless of business size or transactional volume, the business will be required to comply with the PCI Level 1 requirements.

Outsourcing:
Any business accepting card payments must be PCI compliant to the required level. If this side of the business is outsourced to a payment service provider this can alleviate the vast majority of PCI compliance requirements from the business.

As well as giving a creditor or collections agency the ability to view transactions in real time and deliver consolidated reporting tools, they can also prevent them from having to touch any cardholder details, and securely store credit and debit card numbers on behalf of the merchant, for use for future payments.

Conclusion:
Many creditors and collections agencies store large volumes of historical card records, adding a further layer of complexity. Outsourced hosted solutions such as tokenisation can alleviate this problem.

Tokenisation provides a means of passing ownership of both the capture and storage of card numbers to a PCI-DSS compliant third party. The token, not the card number, is stored by the operator. This token is then used to initiate a payment, with the card number being stored securely by the third party.

Making a decision to outsource card storage solutions to achieve compliance is difficult and it is important that the partner chosen has security at the heart of its business. Ideally this partner will have strict security policies and procedures that supersede that of PCI-DSS.

The cost of becoming compliant and maintaining ongoing compliance is high, requiring expert staff, systems and processes. The 'mandated' external services required by the PCI standard need to be carried out by specialists. Vulnerability scanning, QSA auditing and penetration testing come with a big price tag attached.

In short, if you do not have to be PCI compliant, then try to avoid it!

Original article, by Angus Burrell, courtesy of CCR.

back to home

Articles: Tessera Viewpoint; One Clear Voice; What is PCI-DSS?; Who Will Benefit?; Setting Standards; Cost of Compliance

Other News: BIS Discuss Policy Statement; Data Sector Threatened by Axe; More Complaints to FOS