|
 PCI
Compliancy Overview
PCI Mandates
PCI
Webinar
(Powerpoint)
How to
configure Retail Pro for PCI
Take the PCI
Self-Assessment Test
|
What does PCI stand
for? |
Payment Card Industry
|
|
What is PCI
Compliance? |
Guidelines put forward in
the interests of creating a global standard for protecting
cardholder data
|
|
Who drives the
Compliancy policy? |
PCI Council which is made
up of all the card brands and a board of advisors (which consists of
industry experts).
|
|
To whom do these
regulations apply? |
PCI compliance applies to
all merchants and service providers who accept, capture, store,
transmit or process credit and debit card data.
|
|
How can my system be
breached? |
Years ago a fraudster
would walk in, steal receipts and leave with cardholder data.
Typically this fraud was easy to detect and could be managed much
quicker.
Hackers are becoming more
and more sophisticated each day. They are able to plant complex
viruses on merchant computer systems which can go undetected for
months, and sometimes even years, all the while stealing cardholder
data and eventually creating new cards with the illegally obtained
data.
Unfortunately, these
attacks are very difficult to find during the course of normal
business. Often a merchant is not aware until it is too late and
large amounts of fraudulent charges have occurred, for which the
merchant is now liable to pay.
Also contributing to
security breaches, are weak passwords, poor or no Anti-Virus
Software, Poor or No Firewall and Employee Fraud.
|
|
What is the penalty
for being breached? |
Fines are $5000 from Visa
and a similar fine from MasterCard.
American Express imposes
their own regulations on the merchants due to the nature of their
relationship; however, they are part of the overall PCI DSS.
Initial forensics for a breach costs $10,000 - $15,000 and must be
contracted within 5 days of identification of the breach
Chargebacks are usually the greatest cost, averaging around $30,000
but has been as high as $1.2M
|
|
What happens after a
company’s security is breached? |
Once it is determined
that a company’s security has been compromised, they have 30 days to
become compliant.
A Level 4 merchant must
then validate PCI Compliance 30 days after the final forensic report
is completed. (A Level 4 merchant is one who processes less than 20
thousand credit card transactions annually. Most BHD customers fall
in the Level 4 category.)
Validating PCI Compliance
will involve an assessment and scan which needs to be approved and
signed by a Qualified Security Assessor.
Additionally, for the
next year, they must report their PCI compliance on a quarterly
basis to both Visa and MasterCard which requires additional work.
|
|
What is the deadline
for our business to become PCI Compliant? |
By October 1, 2009 no
businesses will be allowed to use an application classified as
‘Known Vulnerable’.
If you are breached
before that date, you are still 100% responsible and will be fined.
|
Some PCI Statistics:
* Over 90% of compromises occur at ‘Level 4’
merchants.
Level 4 are those
merchants who process less than 20 thousand credit card TRANSACTIONS annually. Most of BHD customers fall in the Level 4 category
* 75% of compromises occur when the card is
physically presented at the POS.
* 52% of compromises occurred through an
"always on" Internet connection.
* THE AVERAGE
BREACH WILL COST A MERCHANT $50,000,
and takes one year to manage. The company is then
monitored by the card brands for one year.
Basic Requirements
on PCI Compliance:
PCI DSS 1.1 includes 12 major
requirements.
-
Install
and maintain a firewall configuration to protect cardholder data
-
Do not
use vendor-supplied defaults for system passwords and other
security parameters
-
Protect
stored cardholder data
-
Encrypt
transmission of cardholder data across open, public networks
-
Use and
regularly update anti-virus software or programs
-
Develop
and maintain secure systems and applications
-
Restrict access to cardholder data by business need-to-know
-
Assign
a unique ID to each person with computer access
-
Restrict physical access to cardholder data
-
Track
and monitor all access to network resources and cardholder data
-
Regularly test security systems and processes
-
Maintain a policy that addresses information security for employees and
contractors
A single violation of any of the requirements can
trigger an overall non-compliant status. Each non-compliant incident
will result in steep fines, suspension and revocation of card processing
privileges.
From surveys
conducted by Forrester Research, most companies will be PCI
Compliant within the next 6 to 12 months. "That may be a little late for
some companies, but that is the data that we find, at the moment," Kark
said. “But just because an organization is currently PCI DSS compliant right
now, does not mean that it will continue to be compliant indefinitely.
Compliance to the PCI DSS rules will continue indefinitely, as new
technologies and new ways of hacking personal data continue also.”
We hear from companies who invested a year or more ago
are now completely compliant who say “We spent the money a couple of
years ahead of time, but are now realizing the benefits of that spending.”
For additional information on PCI Compliancy, please
visit:
https://www.pcisecuritystandards.org
|
