|
|
SECURITY
Understand the New PCI Security Standard
Changes to the standard aim to help merchants comply.
PAGE 1 of 1 - 2 - 3 - 4 - » Next
The most significant modification to the Payment Card Industry Data Security Standard (PCI DSS) involves the Level 2 merchant category, which previously only applied to merchants processing between 150,000 and six million Visa e-commerce transactions per year. Level 2 has now been broadened to include all acceptance channels and applies to any merchant processing one million to six million Visa transactions per year. After December 31, 2006, merchants may no longer use the older PCI DSS for compliance validation. Experts estimate these changes have the potential to impact thousands of merchants.
In a released statement about the enhanced standard, Mike E. Smith, , Enterprise Risk and Compliance, Visa U.S.A. senior vice president stated, "Protecting the environment is critical to ensuring the future growth of electronic payments. Extending more rigorous validation requirements to additional merchants better reflects the security risks present in the marketplace."
While none of the broad validation requirements have changed, merchants moving into a new validation level will be responsible for complying with that category’s validation responsibilities. For example, merchants moving from Level 4 to Level 2 must now implement quarterly security scans performed by a qualified independent scan vendor. Also included in the standard for the first time is a listing of Compensating Controls that govern the activities of merchants unable to fully comply with the full PCI DSS 1.1 standard on the aggressive timetable set forth by the PCI Security Standards Council.
Origins and evolution of the PCI Standard
The original PCI data security standard was designed in December 2004 to better protect payment information from theft, fraud, or misuse. Since the PCI initiative was issued, however, enterprise adoption has lagged with fewer than 20 percent of level-1 merchants presently in compliance. These 231 merchants process well over six billion transactions annually. With the potential for fines of over US$500,000 for non-compliance, however, and an expansion in the number of affected merchants, companies are actively seeking solutions to help them respond to the changes.
The PCI Security Standards Council developed the enhanced PCI DSS version 1.1, which is a set of comprehensive requirements for enhancing payment account data security to help facilitate the broad adoption of consistent data security measures on a global basis. This multifaceted security standard includes a core group of principles and accompanying requirements that govern compliance activities of merchants and service providers that store, process, or transmit cardholder data. The PCI Security Standards Council was established to enhance PCI DSS as needed to ensure that the standard includes any new or modified requirements necessary to mitigate emerging payment security risks, while continuing to foster wide-scale adoption. (See the sidebar, Independent Organization Will Create and Maintain PCI Security Standards.)
| Independent Organization Will Create and Maintain PCI Security Standards |
An independent council has formed to manage the ongoing evolution of the Payment Card Industry (PCI) Data Security Standard, which focuses on improving payment account security throughout the transaction process. The PCI Security Standards Council, LLC will strive to secure payment account data in a globally consistent manner. The goal is for more than a billion global payment card users to benefit from a higher level of security protection against data theft and fraud. Companies participating are: American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International.
"The payment brands that founded the Council are committed to ensuring the ongoing development of data security standards that are both efficient and effective," says Seana Pitt, PCI Security Standards Council chairperson. "The creation of this Council is a significant step forward in protecting cardholder information and it underscores the critical nature of this effort."
Specifically, the PCI Security Standards Council will:
- Develop and maintain a global, industry-wide technical data security standard
- Reduce costs and lead times for Data Security Standard implementation and compliance by establishing common technical standards and audit procedures for use by all payment brands
- Lead training, education, and a streamlined process for certifying Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs
- Provide a forum in which all stakeholders can provide input into the ongoing development and dissemination of data security standards.
The PCI Security Standards Council invites all parties with a role to play in securing payment account data -- including merchants, payment devices, and services vendors, processors, financial institution and others -- to participate.
Participating organizations can recommend changes, provide input on future initiatives, have access to and the ability to comment on drafts of potential changes to security standards in advance, and influence the organization's overall direction. In addition, participating organizations will be able to elect or serve as a member of the PCI Security Standards Council's Board of Advisors.
The PCI Security Standards Council will serve as an advisory group and manage the underlying PCI security standards, and each payment card brand will remain responsible for its own compliance programs.
You can access additional information about the council and its ongoing activities at https://www.pcisecuritystandards.org/. |
PAGE 1 of 1 - 2 - 3 - 4 - » Next
Aaron C. Newman is co-founder and the chief technology officer of Application Security, Inc. (AppSecInc). He is responsible for defining the overall AppSecInc product vision. Aaron is known as a foremost database security expert. He is the co-author of the Oracle Security Handbook, printed by Oracle press. For more information on AppSecInc, please visit: www.appsecinc.com.
ARTICLE INFO
Web Edition: 2006 Week 43, Doc #18495
 FREE ACCESS
Keyword Tags: Compliance, Corporate Compliance, E-Business, E-Commerce, Financial Management, IT Networking, Security, Training
|
|