Payment Card Industry Data Security Standard (PCI DSS)

Customized Information Security Policies for Merchants

There are many compelling reasons for Small and Medium Businesses (SMBs) to implement Information Security policies. Specifically, the Payment Card Industry Data Security Standard (PCI DSS) is arguably the most significant liability facing merchants today and most are completely unaware of it.

The PCI DSS applies to every organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data. If you are a merchant, PCI compliance is not a request, nor a suggestion - it is now a requirement, regardless of your size or location.

What Is the PCI DSS?

The Payment Card Industry (PCI) consists of the five major credit card brands: Visa, MasterCard, American Express, Discover, and JCB International. The PCI Data Security Standard (PCI DSS) is an international standard established by the PCI to protect their clients’ credit card data. The most fundamental concept of the PCI DSS is to ensure merchants build and maintain a secure network.

Under the PCI DSS, if a company is non-compliant at the time of a beach, it faces three potential costs (not including potential lawsuits from affected breach victims):

1. Fines from the payment-card companies
2. Reimbursements of breach-related costs sustained by card-issuing banks and credit unions (e.g. fraudulent charges, breach notification expenses & legal fees)
3. Costs associated with reissuing cards to compromised customers.

With the recent update to the PCI DSS, there are several requirements that specifically focus on the security of computer networks. These standards require direct attention to ensure the computer network meet the exacting criteria. Consequences for non-compliance with the PCI DSS are substantial, so this issue does require immediate attention.

The 12 requirements of the PCI DSS are:

1. Install & maintain a firewall connection to protect cardholder data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data across open, public networks.

5. Use and regularly update anti-virus software or programs

6. Develop & maintain secure systems and applications.

7. Restrict access to cardholder data by business need-to-know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

10. Track & monitor all access to network resources & cardholder data.

11. Regularly test security systems & processes.

12. Maintain a policy that addresses Information Security for employees and contractors.

The good news is there is a cost-effective solution to becoming PCI compliant. We recommend starting with the most fundamental part of securing your computer network and that is through implementing the policies, procedures, standards, and guidelines required to meet PCI compliance standards.

Why Is Complying With the PCI DSS Important?

With the consequences ranging from fines to devastating lawsuits, precautionary measures pale in comparison to the reactive costs associated with cleaning up from non-compliance breaches. As a merchant, if you are non-compliant at the time of an incident, the PCI will hold you liable for 100% of the fraudulent charges, as well as the costs to reissue credit cards to affected cardholders. Additionally, by failing to meet PCI DSS compliance standards that result in identity theft to a client, a reasonably competent attorney can quite easily demonstrate negligence on your behalf. Failing to meet compliance requirements can be used against you in a lawsuit, since industry standards, such as the PCI DSS, are the benchmarks used to demonstrate negligent behavior in a court of law.

The bottom line is the compliance cost associated with the PCI DSS is an unavoidable cost of doing business. In order to decrease the burden associated with this process, we can provide a cost-effective, customized Information Security Policy Manual (ISPM) for merchants. This ISPM covers the PCI DSS and more, so you will be able to implement and document the security of your computer network. Having the ISPM and implementing the steps to securing your network will demonstrate due care and due diligence on your behalf, which is the first step in mitigating your liabilities, as well as becoming PCI DSS compliant.

The benefits of Information Security for small and medium businesses are many:

• Decreased costs - less reactive IT support
• Improved productivity - decreased distractions
• Decreased virus & spyware outbreaks
• More efficient operations
• Better performing network & computers
• Better accountability of assets & resources
• Better educated & trained employees