Retail e-commerce sales are amounting in the tens of billions of dollars in the United States alone. However, in 2006, credit card fraud was the most common form of identity theft, accounting for 25% of all reported identity thefts in the US. This meant that over $50 billion was lost to credit card fraud in that year alone.
Credit Card Fraud in Context
The following high-profile cases of credit card fraud underscore the need for security practices, such as the PCI DSS:
– February 2005: Bank of America loses of 1.2 million customer records, although there was no evidence that the records had come into the wrong hands.
– June 2005: Merchant payment-processing provider, CardSystems, is sued for failing to provide adequate protections for the personal information of over 40 million customers.
– February 2006: Approximately 400,000 debit card accounts were disclosed by retail merchants.
– January 2007: A MoneyGram (a payment service provider) server was unlawfully accessed, revealing the names, addresses, phone numbers and bank account numbers of some 79,000 customers.
– January 2007: The credit/debit card numbers of over 45 million customers was stolen from the TJX IT system.
What is PCI DSS?
In 2004, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International created the Payment Card Industry (PCI) data security framework. Before developing this standard, each company had a proprietary set of information security requirements, which presented a challenge to participants in multiple brand networks. The uniform set of information security requirements they developed became known as the PCI Data Security Standard (PCI DSS), which applies to all payment channels: retail, mail orders, phone orders and e-commerce.
PCI DSS is comprised of twelve security requirements (aka the “digital dozen”), which are as follows:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software/programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for employees and contractors.
Compliance with PCI DSS
Compliance with PCI DSS is becoming more and more important for businesses of all sizes. Demonstrating compliance with the standard proves to customers that an organization has secure systems that can be trusted with their sensitive payment card information. As a result, customers are more likely to build trust in the brand, become repeat customers and recommend the business to others. Compliance with PCI DSS can also develop a business’ reputation with acquirers and payment brands. It can also make other compliance processes easier (e.g. with HIPAA, SOX, etc.).
There are three main stages of compliance:
- Collecting and Storing – This involves the secure collection and tamper-proof storage of log data so that it is available for analysis.
- Reporting – This is the ability to prove compliance should an audit arise. The organization should also show evidence that data protection controls are in place.
- Monitoring and Alerting – This involves implementing systems to enable administrators to monitor access and usage of data. There should also be evidence that log data is being collected and stored.
There are numerous negative consequences of non-compliance with the PCI DSS. Compromised payment card data has negative outcomes for consumers, merchants and financial institutions. Compromised data can damage an organization’s brand reputation. Breaches of account data can result in loss of sales, relationships, diminished community standing and decreased share prices, for publicly traded companies.
Other negative consequences of non-compliance may also include:
– Cancelled accounts
– Payment card issuer fines (which could amount up to $500,000 per incident)
– Government fines
– Insurance claims
– Loss of ability to process payment card transactions
PCI DSS in Canada
PCI DSS has been a major driving force for Canadian businesses in improving their IT security systems. As a globally-recognized set of mandatory security practices, PCI DSS to any Canadian company, organization or government department that engages in the storage, processing or transmission of payment card information. As the twelve steps involved in PCI compliance form the foundation for general IT security frameworks, it may be a good starting point for a variety of organizations.
According to IBM Canada security architect Gary McIntyre, “Canadian firms that failed to achieve PCI compliance would not likely get disconnected from the card networks, but they would face stringent financial penalties from Visa or MasterCard.”
This article explores the PCI DSS (Payment Card Industry Data Security Standard), developed in 2004 by a number of stakeholders in the payment card industry. The PCI DSS is comprised of twelve security requirements, which are referred to as the “digital dozen.” The article discusses the advantages of compliance, as well as the necessary stages to achieve compliance with the PCI DSS. Finally, the article looks at the PCI DSS from an international standpoint, introducing the adoption of the standard in Canada.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
– Industry Consortia Security Frameworks (V.B.iv.)
– PCI DSS (V.B.iv.1.)