A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

October 22, 2007 • Issue 07:10:02

PCI DSS implementation: A concise review

By Robert Heinrich
Alpha Card Services Inc.

The dramatic increase in credit and debit card usage has been accompanied by an exponential rise in bankcard fraud. The well-publicized March 2007 TJX Companies Inc. disclosure that debit and credit card data from at least 45.6 million of its customers were stolen by hackers is an example of the damage a breach in just one network can cause.

All businesses handling credit and debit card data now must comply with strict security guidelines known as the Payment Card Industry (PCI) Data Security Standard (DSS).

The PCI DSS was developed by Visa Inc., MasterCard Worldwide, American Express Co., Discover Financial Services LLC, and JCB International Credit Card Co. to protect cardholders by ensuring that merchants meet minimum levels of security when they store, process or transmit primary account numbers (PANs).

A company processing, storing, or transmitting credit card numbers must be PCI DSS compliant or it risks fines, liability and losing the ability to process credit card transactions in the event of a data breach.

The accompanying table illustrates commonly used elements of cardholder data, whether storage of each is permitted and if each data element must be protected. The minimum account information that must be unreadable is the PAN. Any of these methods may be used: one-way hash functions (hashed indexes); truncation; index tokens and pads; and cryptography with associated management processes and procedures.


Interchange Chart
* Data elements must be protected if stored with the PAN. The protection must meet PCI DSS requirements.
* * Sensitive authentication data can't be stored subsequent to authorization even if it is encrypted.

Promoting PCI DSS

The PCI Security Standards Council was founded in June 2005 as an independent industry standards body providing management of the PCI DSS on a global basis.

The council is not a policing organization. It maintains and promotes PCI DSS, as well as publishes a list of certified assessors and vendors to help assure customers that their credit card data is safe from hackers or any malicious intrusion when given to a PCI compliant merchant.

PCI compliance requires that all merchants and service providers that handle, transmit, store or process information concerning any of these cards, or related card data, enact specific safeguards. If they are not compliant, they can face monetary penalties, be held liable for any data breach and have their card processing privileges terminated by the credit card issuers. Drilling down The main purpose of PCI is to force merchants and third-party service providers to embrace common security controls to protect credit card data and reduce fraud and theft. Following are the six primary control areas and 12 specific requirements of the PCI DSS. A single violation of any of the below requirements will result in a noncompliant status.

Build and maintain a secure network:

    1. Install and maintain firewall configurations.
    2. Do not use vendor-supplied or default passwords.
Protect cardholder data:
    3. Protect stored data.
    4. Encrypt transmissions of cardholder data across public networks.
Maintain a vulnerability management program:
    5. Use and regularly update anti-virus software.
    6. Develop and maintain secure systems and applications.
Implement strong access control measures:
    7. Restrict access to need-to-know.
    8. Assign unique IDs to each person with computer access.
    9. Restrict physical access to cardholder data.
Regularly monitor and test networks:
    10. Monitor and track all access to network resources and cardholder data.
    11. Regularly test security systems and processes.
Maintain an information security policy:
    12 Maintain a policy that addresses information security.

Defining the levels

Following are descriptions of established merchant levels, along with their respective PCI compliance validation requirements:

Level 1 comprises all merchants, regardless of acceptance channel, who have Visa and MasterCard transactions totaling 6 million and up per year, as well as any merchant who has experienced a data breach.

  • Validation requirement: Annual onsite review by merchant's internal auditor or qualified security assessor (QSA), or an internal audit, which must be signed by an officer of the company, in addition to a quarterly network security scan done by an approved scanning vendor (ASV).

Level 2 comprises all merchants, regardless of acceptance channel, whose Visa and MasterCard transaction total is from 1 million to 6 million per year.

  • Validation requirement: Completion of PCI DSS self-assessment questionnaire (SAQ) annually and a quarterly network security scan done by an approved ASV.

Level 3 comprises all merchants whose Visa and MasterCard e-commerce transaction total is from 20,000 to 1 million per year.

  • Validation requirement: Completion of the PCI DSS SAQ annually and a quarterly network security scan done by an approved ASV.

Level 4 comprises all merchants who do not fall into the other levels: merchants processing fewer than 20,000 Visa or MasterCard e-commerce transactions per year, as well as all other merchants processing up to 1 million Visa or MasterCard transactions per year.

  • Validation requirement: Completion of the PCI DSS SAQ annually and a quarterly network security scan done by an approved ASV.

Compliance mandates have typically focused on level 1, 2 and 3 merchants since they clear the largest volume of transactions. However, level 4 merchants are now receiving more scrutiny in terms of PCI compliance because they are using POS terminals connected to high speed Internet connections, which are vulnerable to hackers.

Level 4 merchants process fewer transactions than merchants at other levels, but they account for more than 99% of the merchants who accept Visa and MasterCard.

For the most part, level 4 merchants do not have the technical expertise to properly secure cardholder data. It is up to the acquirer to make sure that its level 4 merchants understand the need for being PCI compliant.

Minding the regs

In May 2007, Visa released a new level 4 merchant compliance program. It requires acquirers to develop and submit to Visa a formal written compliance plan, which will identify, prioritize and manage overall risk with their Level 4 merchant portfolios.

Companies are constantly at risk of losing sensitive cardholder data. A breach, loss or theft can result in fines, legal action and bad publicity.

This will, in turn, lead to lost business. Achieving compliance with the PCI DSS needs to be high on the agenda for all merchants and service providers that handle, transmit, or store credit card data.

The following Web site contains pertinent reference material: www.pcisecuritystandards.org. end of article

Robert Heinrich is President of Sales for Alpha Card Services Inc, a registered ISO of HSBC Bank, National Association. Named by Inc. magazine the 99th fastest growing privately held company in America, ACS has more than 30 years' experience providing expertise to ISOs and merchant level salespeople seeking to expand their portfolios. For more information, visit http://thealphaedge.com or e-mail rheinrich@alphacardservices.com.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing