April 25, 2005
(Computerworld)
Companies that manage credit card information have just over a month to comply with new data-protection requirements being pushed by MasterCard International Inc. and Visa U.S.A. Inc. amid growing concerns about identity theft and fraud.
The Payment Card Industry Data Security Standard, or PCI, lists 12 items that retailers, online merchants, data processors and other businesses that handle credit card data will have to start meeting by June 1. The standard sets technology requirements such as the use of data encryption, end-user access control, and activity monitoring and logging. It also includes procedural mandates such as the need to implement formal security policies and vulnerability management programs.
The standard also requires companies to validate their compliance via a PCI-certified assessor either annually or quarterly, depending on their transaction levels. Banks that issue credit cards will be responsible for ensuring that companies comply with PCI and could face up to $500,000 in fines per incident if data is compromised.
The PCI standard aligns and builds on the separate security requirements that both MasterCard and Visa had prior to December 2004, said John Verdeschi, MasterCard's vice president of e-business and emerging technologies. It's designed to offer a common approach for protecting credit card data across both brands, he said.
Other card companies, including American Express Co. and Diners Club International Ltd., have also endorsed the PCI standard, he added.
Complex Requirements
"The good part about the program is that it provides good guidelines and standards of conduct," said Todd Mazurek, vice president of strategic planning at Tickets.com Inc., a Costa Mesa, Calif.-based provider of ticketing services for live events.
But complying with some of the PCI provisions could be difficult for midsize and small merchants, Mazurek warned. One example is the requirement that merchants record and keep track of all activity involving access to information about cardholders.
"That's a lot of information that you need to track," Mazurek said. "Doing that in a manner that doesn't impact your responsiveness is somewhat tricky."
OshKosh B'Gosh Co. is working with the vendor of its point-of-sale software to bring approximately 600 POS systems in 170 stores into compliance with PCI, said Jon Dell'Antonia, CIO at the Oshkosh, Wis.-based clothing retailer.
"It really involves what data you capture and forward when you scan a credit card in stores," Dell'Antonia said. The company is also evaluating what other changes it needs to make to comply fully with the standard, he added.
Jelly Belly Candy Co. is doing a similar evaluation of its Web site operations to see what compliance-related issues it might need to address, said Gary Praegitzer, a security specialist at the Fairfield, Calif.-based candy maker.
"It's a good thing to have a list of things to check off to see if we are following guidelines," Praegitzer said. He added that Jelly Belly is using Qualys Inc., its vulnerability assessment service provider, to scan and audit the site. Redwood Shores, Calif.-based Qualys offers a MasterCard-certified testing process that features self-service compliance assessment and reporting.
The PCI requirements reflect an effort to staunch the growing costs associated with credit card fraud and security-related card replacements, said Michael Dahn, a senior adviser at Ambiron LLC, a Chicago-based provider of security services for the payment processing industry.
For example, companies will need to encrypt or otherwise mask credit card information that may be stored on POS systems, Dahn said. Currently, many retailers store credit card information on such systems for periods of up to a month for backup or settlement reasons, he noted.
Under PCI, it would be an "egregious violation," subject to steep fines, for companies to store unencrypted credit card data on POS systems, Dahn said.
The Digital Dozen
VISA AND MASTERCARD'S NEW DATA-PROTECTION RULES
BUILD AND MAINTAIN A SECURE NETWORK
Install and maintain a firewall configuration to protect data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
PROTECT CARDHOLDER DATA
Safeguard stored data.
Encrypt transmission of cardholder data and sensitive information across public networks.
MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM
Use and regularly update antivirus software.
Develop and maintain secure systems and applications.
IMPLEMENT STRONG ACCESS-CONTROL MEASURES
Restrict access to data by business need to know.
Assign a unique ID to each person with computer access.
Restrict physical access to data about cardholders.
REGULARLY MONITOR AND TEST NETWORK SECURITY
Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.
INFORM EMPLOYEES ABOUT SECURITY POLICIES
Maintain a policy that addresses information security.
Source: Visa U.S.A. Inc.