According to the most recent Unisys Security Index, a leading social indicator of how consumers feel about certain risks, financial fraud – especially the unauthorized use of credit and debit cards – remains one of the top concerns across the country.
Sixty two percent of adults are “seriously concerned” about the unauthorized use of their cards. Financial institutions and businesses, which lose billions of dollars to fraud every month, are continually fighting both amateur and sophisticated fraudsters.
The latest push to make credit card transactions safer is taking place right now.
What is the PCI?
The Payment Card Industry Security Standards Council (“PCI”) is an association formed in 2006 by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Its purpose is to develop, manage and raise awareness about security standards for ensuring that credit card information is kept safe. There are three standards: the Data Security Standard (“DSS”), the Payment Application Data Security Standard (“PA-DSS) and the Pin-Entry Device (“PED”) Requirement.
What is the Data Security Standard (“DSS”)?
The DSS is the security standard which every business owner that accepts credit cards needs to know and implement. The DSS consists of 12 requirements organized under six principles:
- Principle: Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Principle: Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Principle: Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software
- Requirement 6: Develop and maintain secure systems and applications
- Principle: Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data
- Principle: Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
- Principle: Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security
The complete DSS can be downloaded from the PCI website.
How does PCI DSS enforcement work?
These standards are provided by the PCI and are enforced by each of major credit card interchanges which I mention in my previous article on interchange fees. How you comply with them depends on whether you are a merchant, service provider or financial institution. You are a merchant if you take credit card payments from your customers.
Go to the article: Are You PCI Compliant?
