Securing Credit Transactions: the Pci Data Security Standard

The Payment Card Industry (PCI) Data Security Standard is a list of rules that define a set of regulations for credit card security over the Internet. It was developed by a group of major credit card companies in order to standardize the way information should be transmitted and what security features merchants and service providers needed to implement in order to bill through these credit companies. The PCI Standard went into effect in 2004.

Prior to the PCI Standard, all credit card companies such as Visa and MasterCard had their own standards of data security. For a merchant or service provider to use a major credit company for billing, several different standards had to be conformed to. This became a major hassle for companies trying to keep up with evolving standards, so representatives from several major credit companies including Visa, MasterCard, American Express, Discover, and JCB got together and formed the PCI Security Standards Council, which in turn developed the PCI Data Security Standard.

It should be noted that the PCI Standard is not a government regulation – merchants and service providers cannot be held legally accountable to this standard. What can happen, however, are fines and other business-related action for non-compliance. Service providers, such as third party billing agents, are required to be fully compliant with the PCI Standard because they are responsible for the integrity of client transactions as well as their own. Merchants, on the other hand, process only their own payments and are held to different levels of compliance based on the number of transactions processed per year.

The detailed requirements of the PCI Standard are extensive and precise. The main points are separated into twelve basic requirements, spread over six categories, each requirement having several sub-requirements. The six main categories are summarized below:

Build and Maintain a Secure Network
Appropriate firewall and access control measures must be implemented to secure data transmissions and protect cardholder information. Vendor-supplied defaults for passwords and other security features should not be used, as these are commonly known and often used to penetrate systems.

Protect Cardholder Data
The amount of cardholder data stored should be the minimum needed to do business; for example, truncating the primary account number (PAN) when the full number is not needed, and properly disposing of data once it is no longer needed. In addition, transmission and storage of cardholder data must be encrypted across public networks.

Maintain a Vulnerability Management Program
New viruses and malware are developed every day, and anti-virus software must be kept up-to-date in order to mitigate these threats. Software applications and systems should be updated with the latest vendor supplied security patches, and further secured through data input validation and anti-hacking measures.

Implement Strong Access Control Measures
Only employees who require access to data for business-related reasons should be allowed access, and each individual user must be assigned a unique identification. Physical access to the servers where data is stored must be restricted and secured as well, because hardware can easily be stolen, compromised, or otherwise tampered with.

Regularly Monitor and Test Networks
All network activity must be monitored to ensure no unauthorized access occurs. If security holes are found, they must be fixed immediately. Systems and processes should be tested regularly to ensure the security of the network.

Maintain an Information Security Policy
Strict policies regarding information security must be implemented and enforced in order to maintain information security. This includes threat assessments, definition of acceptable equipment use, data backup systems, and incident response and disaster recovery procedures.

The full text of the PCI Standard can be downloaded in Adobe PDF format from the PCI Security Standards Council website.

To find out whether a particular company is compliant with the PCI Standard, anyone can contact one of the five major credit companies directly, or visit Visa's website to view a list of currently-compliant companies.