What Is Pci Compliance?

What is PCI Compliance?

PCI Compliance is maintaining adherence to the PCI DSS standard that was developed by major credit card companies as a “guideline to help prevent credit card fraud” ("PCI DSS"). Credit card fraud has taken the spotlight in the past several years due to the massive growth of e-commerce and online transaction processing. With the proliferation of e-businesses, it has become easier than ever to commit fraud over the internet.

Major credit card issuers such as MasterCard, Visa, American Express, Discover, and JCB International joined together to create a standard known as PCI DSS or Payment Card Industry Data Security Standard. In order to process credit card payments merchants and vendors are required to be compliant with the standard based on the Merchant Level of the organization. This standard was created in response to a dramatic rise in credit card data breaches at many high-profile organizations.

This standard defines a set of twelve requirements for compliance. In order to validate a company is in compliance with the PCI Data Security Standard, large organizations are audited by external auditors that are PCI Qualified Security Assessors (QSAs). Smaller companies that process less than 80,000 transactions per year are allowed to perform a self-assessment questionnaire, which determines if the merchant is within compliance.

Who owns the PCI Data Security Standard?

In June of 2005, these five major credit card issues came together and founded the PCI Security Council. The main purpose of the PCI Security Council was to create, own, and manage the PCI Data Security Standard for credit card data. However, the PCI Security Council is not a policing organization and does not enforce PCI Compliance, and it does not determine what remediation is appropriate for violations of the PCI Data Security Standard.

In September of 2006 the PCI Data Security Standard was updated to version 1.1 which is currently in-use today. The PCI Security Council works to promote the broad industry adoption of this standard, and also generates tools to assist companies in complying with these standards. Some of the tools are guidelines, scanning requirements, and even a self-assessment questionnaire.

Before the PCI Security Council and Data Security Standard existed, each of the five credit card issuers had their own internal extensive compliance policies. But vendors or merchants who wanted to process more than one type of credit card would have to comply with requirements defined by each card issuer. By coming together under the umbrella of the PCI Security Council these major brands were able to codify their corporate standards into a public standard, and place pressure on organizations that process credit transactions to protect cardholder data against fraud and theft.

The founding organizations not only developed this standard, but also incorporated these standards into their own data security compliance programs. All five organizations share equally in governing the council; have equal input regarding issues; and all the organizations share responsibility for maintaining the PCI Data Security Standard.

Case Study: TJX Companies

In March of 2007, just last year, TJX Companies, owner of TJ Maxx and Marshall’s revealed the extent of damage of a number of security breaches that had taken place over the course of seventeen months. Over 45.7 million credit and debit card information was breached; in addition, approximately 455,000 customers who returned merchandise without receipts had their Driver’s License information stolen as well.

Although the example here is about a traditional brick and mortar company, all of this information is transmitted electronically, and highlights the severity of credit card security issues that are looming over us daily.

In a filing with the Securities and Exchange Commission (SEC) TJX Companies “stated that its computer systems were first hacked in July 2005 by one or more intruders who accessed information from customer transactions dating back to January 2003” ("Introduction to PCI Compliance").

The costs resulting from these breaches will be very extensive. One example is that each account that was breached will require the issuing bank to have to re-issue a new card to the accountholder. At twenty-five dollars per card, and over 40 million accounts breach which amounts to a very, steep price tag.

In addition, there are a number of other costs associated with the discovery of this major breach of security such as hiring a security consulting agency in order to overhaul the internal network and align the company’s internal policies and practices to conform to PCI standards; civil lawsuits, and punitive damages.

According to an article on CNET.com, “The Arkansas Carpenters Pension Fund, one of the largest shareholders, filed suit” claimed that “TJX вЂ?wrongfully denied (them) access to the materials pertaining to the data breach” (McCarthy). The lawsuit was filed in Delaware, possibly because there is a Delaware state law that “allows a company’s shareholders to access corporate documents in certain situations” (McCarthy).

Becoming a law?

As of May 21st, 2007, Minnesota became the first state to make core PCI requirements a law for all companies processing

...