Home        Site Map        Login        Contact Us     Request Information    

Products

Services

Industry

Support

Company

Events

Training

Community

Contact Us

Payment Card Industry Data Security Standard:
the Benefits of Compliance

If your facility processes, stores, or transmits payment card data (debit or credit), your organization must be compliant with the Payment Card Industry (PCI) Data Security Standard (DSS).

The PCI Security Standards Council (SSC) does not enforce compliance with the DSS. However, this does not mean that it is safe or advisable to ignore the PCI DSS. The payment companies that the PCI SSC represents—Visa, MasterCard, American Express, Discover, and JCB—all have compliance programs that protect their cardholders' sensitive information. If you do not comply with the PCI DSS, you are vulnerable to incurring fines and other setbacks from the payment card companies that your customers use. Furthermore, states are continually creating or revising laws that codify all or part of the PCI DSS. As the PCI DSS gains legal significance, it is becoming more and more crucial to understand and implement its requirements.

Attaining or upholding compliance with the PCI DSS offers your company many benefits.

• A more reliable and systematic payment process. PCI DSS compliances ensures that your company has an actionable framework for keeping your customers' personal and financial information organized and safe.

• Increased trust from your customers. It is not uncommon for your customers to have a friend or relative who has fallen victim to identity theft or payment card fraud. They are aware of the potential risks involved with using payment cards and are often concerned about the security of their personal and financial information. If you are PCI DSS compliant, you can gain the increased confidence of your customers by assuring them that their information is safe and that you have made their security a priority in your company.

• A viable edge in the marketplace. PCI DSS compliance is another sign of excellence, professionalism, and quality assurance with which you can leverage your company above the competition.

Although achieving PCI DSS compliance is not solely an information technology (IT) responsibility, using a Payment Application Data Security Standard (PA-DSS) compliant software solution can help you manage the IT-related PCI DSS requirements (i.e., securing your network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, and regularly monitoring and testing networks). It is also possible that a non-PA-DSS compliant solution may prevent you from being technologically able to fulfill the obligations of the PCI DSS.

According to the Payment Card Industry (PCI) Security Standards Council, the PCI Data Security Standard (DSS) "represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information." The PCI DSS "provides an actionable framework for developing a robust account data security process, including preventing, detecting, and reacting to security incidents."

The PCI DSS defines the conditions necessary for proper security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard was created to help your company proactively protect your members' account data. The PCI DSS is based on the following set of core principles and their accompanying requirements (sometimes referred to as the 12 Commandments).

According to the Payment Card Industry (PCI) Security Standards Council (SSC), all merchants—entities that accept payment cards bearing the American Express, Discover, JCB, MasterCard, or Visa logo as payment for goods and/or services—need to be PCI compliant. These payment brands have collectively approved the PCI Data Security Standard (DSS) as the requirement for organizations that process, store, or transmit their cardholders' data. The PCI SSC manages and updates the security standards, while each payment brand supervises companies and enforces compliance to these standards.

All merchants must meet the PCI DSS to be considered compliant. However, compliance validation differs based on each company's merchant level, which the individual payment brands assign to merchants based on the volume of transactions processed over a 12-month period. The following merchant levels are enforced by Visa.

Note: For information regarding merchant levels enforced by American Express, Discover, JCB, and MasterCard, see "References" at the end of this document.

The manner in which you validate your Payment Card Industry (PCI) Data Security Standard (DSS) compliance depends on your merchant level. The following list explains some of the common validation tools.

• Approved Scan Vendors (ASVs)—Organizations that validate adherence to certain PCI DSS requirements by performing vulnerability scans of the internet facing environments of merchants and service providers. The PCI SSC has approved over 130 ASVs.

• Self-Assessment Questionnaire (SAQ)—A validation tool intended to assist merchants and service providers in self-evaluating their compliance with the PCI DSS. The SAQ is a tool for merchants and service providers not required to undergo an on-site data security assessment per the PCI DSS security assessment procedures, and may be required by your acquirer or payment brand.

• Report on Compliance (ROC)—An evaluation report completed by a QSA that provides information for acquirers and payment brands

• Qualified Security Assessors (QSAs)—Employees of organizations (that have been qualified by the PCI SSC) who have been certified by the council to validate a company's adherence to the PCI DSS

Note: For more information about validating your PCI DSS compliance, consult an ASV or QSA or read the PCI SSC's Instructions and Guidelines to the SAQ.

The Payment Application Data Security Standard (PA-DSS) is for software developers and integrators of payment applications that store, process, or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed, or licensed to third parties. Most payment card brands encourage companies to use payment applications that are tested and approved by the Payment Card Industry (PCI) Security Standards Council (SSC). Validated applications are listed on the PCI SSC website.

While using PA-DSS compliant applications does not ensure full PCI DSS compliance, they help companies minimize the potential for security breaches, mitigate compromises, prevent storage of sensitive cardholder data (e.g., full magnetic stripe data, card validation codes and values, and PIN data), and help facilitate overall compliance with the PCI DSS.

Important Note: The following general information is not intended to be legal advice and may not contain the most current legal developments. Consult a licensed attorney in your state before taking action based on this information.

While no federal laws exist regarding the Payment Card Industry (PCI) Data Security Standard (DSS), some states have enacted laws that require the PCI DSS or the reporting of data security breaches. In fact, forty-six states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.

The 2007 Minnesota Plastic Card Security Act makes a portion of the PCI DSS mandatory for Minnesota companies—not storing security codes, full payment card magnetic stripe information, or PIN codes—and gives financial institutions legal means to demand reimbursement for dealing with a breach resulting from a company's failure to comply with those requirements.

Effective January 1, 2010, Nevada passed revisions to a statute that make compliance with the current version of the PCI DSS a specific legal obligation. The statute orders the use of encryption when data collectors are transferring personal information. Nevada's statute also creates a safe harbor against liability for damages for a data security breach for companies that are compliant with the PCI DSS and this statute.

A Washington state law, which became effective July 1, 2010, gives financial institutions a cause of action against companies involved in payment card transactions that don't reasonably guard against unauthorized access to payment card data and result in a data security breach. The statute exempts companies that have undergone annual security assessments to maintain PCI DSS compliance from the liability for damages associated with a security breach ("reasonable actual costs related to the reissuance of credit and debit cards"). This exemption creates an incentive for companies to comply with the PCI DSS.

Massachusetts has also enacted a stringent law concerning the protection of personally identifiable information (PII), which demanded compliance by March 1, 2010. The law requires "encryption of all transmitted records and files containing personal information that will travel across public networks" and "of all data containing personal information to be transmitted wirelessly" as well as the creation of a written information security plan (WISP) that must be filed with the state of Massachusetts. The law also includes fines for data compromises—$5,000 per breach or lost record.

The continual emergence and revision of state laws regarding data security, whether they incorporate all or part of the PCI DSS or not, indicates a growing necessity for PCI DSS compliance. What was once only a matter of importance from a business perspective is steadily gaining legal credence. Consult the National Conference of State Legislatures (NCSL) website (http://www.ncsl.org/) and a licensed attorney for more information regarding data security laws in your state.

If your compliance with the PCI DSS is invalid and you experience a data security breach, the affected payment card companies have the right to charge you a hefty fine.

For example, in the case of a suspected data breach, if a Visa member fails to immediately notify Visa Inc. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident. Also, Visa members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident.

However, if you have become PCI DSS compliant, the payment card brands you accept may also offer financial incentives (such as those granted by the Visa PCI Compliance Acceleration Program).

The members of the PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These compromises affect the full spectrum of companies, from the very small to very large merchants and service providers.

Post-mortem compromise analysis has shown common security weaknesses that are addressed by the PCI DSS, but were not in place in the organizations when the compromises occurred. The PCI DSS was designed and includes detailed requirements for exactly this reason—to minimize the chance of compromise and the effects if a compromise does occur.

Note: Some of the information above was adapted from "Why Is Compliance with PCI DSS Important?" as included in the PCI DSS SAQ Instructions and Guidelines, Version 1.2.

If you haven't achieved Payment Card Industry (PCI) Data Security Standard (DSS) compliance, or if you want to make sure your compliance is valid, see the "Resources" section at the end of this document to help you research what it will take for you to gain compliance based on your merchant level.

In the meantime, we can assure you that choosing CSI Software's Spectrum NG, a Payment Application Data Security Standard (PA-DSS) compliant solution, as your payment application will set your compliance process into motion.

CSI Software is committed data security. The administrative management, development, and IT departments of CSI Software work diligently to obtain and maintain the certifications with the various credit card processing authorities. The protection of personal and financial data has become a crucial part of our business. We have taken the following actions to ensure the protection of our clients' personal and financial information.

• Establishing and adhering to accepted payment card data security practices

• Maintaining documents on file with a company that is qualified to do security assessments

• Submitting to numerous security penetration tests where the qualified security assessment organization makes an effort to penetrate CSI firewalls and security measures

• Conducting employee background checks

• Maintaining security logs

• Managing detailed change orders

• Using sophisticated data encryption

• Securing the storage and transmission of payment card data

We are also committed to helping users of our Spectrum NG software offer the same level of security to their members. In addition to incorporating many of the above security measures into Spectrum NG, we also uphold its security by:

• Updating encryption keys

• Regulating how long data is maintained

• Conducting application penetration tests where the qualified security assessment organization makes attempts to penetrate our Spectrum NG application, including online services

Because of our commitment to data security, CSI Software has attained the following credentials.

• CSI Software has been a PCI DSS Level One compliant service provider since October of 2007.

• CSI Software is one of only 500 companies in the United States to obtain the status of Level One PCI-DSS compliance. Other Level One companies include Amazon, Dell, and eBay.

• CSI Software is a PA-DSS compliant payment application (Spectrum NG, Version 4.0).

Note: You can verify CSI Software's PCI DSS compliance on Visa's website (http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf) and PA-DSS compliance on the PCI SSC's website (https://www.pcisecuritystandards.org/security_standards/vpa/).

We believe you can and should improve your company by becoming PCI DSS compliant, and we can help you achieve this by offering you a payment application solution that will support your PCI DSS compliance strategy, rather than work against it.

Choose CSI Software, a company that has achieved PCI DSS compliance for itself, that offers a PA-DSS approved software solution, and that places a high value on the security of your members' personal and financial information, just like you do.

• Cardholder Information Security Program: Visa USA http://usa.visa.com/merchants/risk_management/cisp.html

• Merchant Levels

  • American Express https://www209.americanexpress.com/merchant/singlevoice/dsw/FrontServlet?request_type=dsw&pg_nm=merchinfo&ln=en&frm=US&tabbed=merchantLevel

  • Discover | http://discovernetwork.com/fraudsecurity/disc.html

  • JCB | http://www.jcb-global.com/english/jdsp/index.html

  • MasterCard | http://www.mastercard.com/us/sdp/merchants/merchant_levels.html

• National Conference of State Legislatures (NCSL) | http://www.ncsl.org/

• Navigating PCI DSS Document https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_navigating_dss.pdf

• PA-DSS | https://www.pcisecuritystandards.org/pdfs/pci_pa_dss.pdf

• PCI DSS | https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html

• PCI Quick Reference Guide https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

• PCI Security Standards Council | https://www.pcisecuritystandards.org/index.shtml

• SAQ Instructions and Guidelines https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_instr_guide.pdf

• SAQ Overview | https://www.pcisecuritystandards.org/saq/index.shtml

CSI Software USA, Houston, TX 77098-4510 U.S.A. All rights reserved.

- PCI White Paper PDF