Exponential growth in ecommerce online sales are now growing four times faster than offline sales1 has led to an increase in credit card information stored and transmitted across the Internet over the past decade. This large, decentralized repository of cardholder data also represents a growing set of risks for credit card issuers, financial institutions and merchants accepting payments via the web. As a result, the payment card industry has formalized its processes in response to the growing instances of security breaches due to compromised cardholder information.
Enter PCI compliance specifically the Payment Card Industry Data Security Standard (PCI DSS) a collection of 12 requirements created to help merchants protect customer account data while proactively supporting the broad adoption of consistent data security measures on a global basis. PCI compliance
is not a request, it is a requirement. As of the end of 2007, any organization accepting debit and credit card payments must be in compliance with the standards. While the law does not enforce this standard, each of the payment card providers does.
What is PCI Compliance?
PCI compliance is a process designed to create a standardized level of account data security. The process ensures all merchants meet a comprehensive set of standards put in place by the payment card industry.
It should be seen as an investment to protect personal information and ensure account data security when transactions are processed using a debit or credit card required by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.. PCI DSS represents the minimum requirements ensuring all companies process, store or transmit credit card information while maintaining a secure environment.
PCI DSS as a security standard includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. These guidelines are intended to help organizations proactively protect customer account data while helping to facilitate the broad adoption of consistent data security measures on a global basis. The PCI standard is not law but rather industry self-regulation steps that credit card companies have adopted.
A Brief History
Each credit card provider had its own set of proprietary definitions for data security compliance through 2005, making it a difficult task for merchants to stay up-to-date with multiple provider networks. In June 2005, American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. founded the PCI SSC (PCI Security Standards Council) to manage the ongoing evolution of the Payment Card Industry (PCI) security standards, which simplified the process for merchants. It couldnt have come at a better time, as security threats were becoming more prevalent.
1 PCI DSS: 5 Guidelines for Gaining PCI Compliance.
Nearly 350 million records2 containing sensitive personal information have been involved in security breaches over the past five years. Here are a few main cases of cardholder data theft and fraud:
TJX Companies (TJX): Retail brand owner of T.J. Maxx and Marshall s department stores revealed in March 2007 that hackers compromised at least 45.7 million credit and debit cards by accessing a presumed secure network environment. TJX was forced to pay nearly $256 million from more than a dozen class action lawsuits in Alabama, California, Massachusetts, Puerto Rico and six Canadian provinces, for what has been hailed as the single largest data breach in United States history.
Commerce Bank (Wichita, KS): Discovered a database containing personal data from nearly 3,000 had been hacked in October 2007, with 20 customers having been exposed. The affected customers received free credit monitoring service for two years.
Heartland Payment Systems, Inc: On Dec. 26, 2007 this credit and debit card payment processing company was attacked by SQL injection. Hackers used the security hole to install malware stealing almost 130 million credit and debit card numbers. Heartland has agreed to pay up to $60 million in restitution.
The first version of PCI DSS was followed by the adoption of PCI DSS 1.2 in 2008, which is currently used. The PCI SSC will
use the following cycle to produce a new version or revision:
Market Implementation (10/1/08 - 6/30/09)
Feedback Begins (7/1/09 - 10/31/09)
Feedback Review and Decision (11/1/09 - 4/30/09)
New Version/Revision and Final Review (5/1/10 - 8/31/10)
New Version/Revision Becomes Effective (9/30/10)
Since PCI SSC launched on September 7, 2006, the amount of data theft and subsequent fraud through traditional
channels hacking and other malicious online activities has dropped to 75 percent. New internal channels have manifested and pose a whole new challenge for the council (account for nearly 20% of security breaches3). Personal fraud has started to become the result of stolen laptops, internal security breaches, and lack of understanding of evolving cloud infrastructure. In light of the ever-changing security landscape, a built-in review cycle allows changes to be made to the standard by conducting five stages over 24 months.
Does my business need to become PCI Compliant?
Any organization regardless of size or number of transactions that accepts, transmits or stores any cardholder data must comply with these standards in order to accept credit cards. This applies to all merchants, third-party service providers and financial institutions working with each of the five credit card companies. Failure to meet compliance standards can result in fines from credit card companies and banks and even the loss of the ability to process credit cards.
2Chronology of Data Breaches, Privacy Rights Clearinghouse.
3Muncaster, Phil. Over 280 million records compromised last year, SC Magazine, 15 April 2009.
The rule of thumb: If you house debit or credit card information in whatever form in your dedicated, co-located or owned servers, then you are responsible for complying with PCI DSS.
Under PCI DSS, every business or organization should be able to promise its customers that all credit card data/account information and transaction information is safe from hackers or any malicious system intrusion.
PCI Compliance Levels
To be PCI DSS compliant, each card issuer has its own criteria for assigning a merchant level and validation compliance classification level for a merchant, third party or service provider. The merchant level is based on transaction volume for the organization. The validation compliance level is based on the merchant level, and includes the validation actions and who needs to carry out the validation actions, in order to be PCI DSS compliant.
All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of a merchant s Visa transactions (inclusive of credit, debit and prepaid4).
Merchant levels as defined by Visa5:
Any merchant -- regardless of acceptance channel -- processing
Annual online PCI data security
over 6M Visa transactions per year. Any merchant that Visa, at
assessment and quarterly network
its sole discretion, determines should meet the Level 1 merchant
requirements to minimize risk to the Visa system.
Any merchant -- regardless of acceptance channel -- processing
Annual self-assessment and
1M to 6M Visa transactions per year.
quarterly network scans
Any merchant processing 20,000 to 1M Visa e-commerce
Annual self-assessment and
transactions per year.
quarterly network scans
Any merchant processing fewer than 20,000 Visa e-commerce
Annual self-assessment and annual
transactions per year, and all other merchants -- regardless of
acceptance channel -- processing up to 1M Visa transactions
What am I required to do?
The PCI Security Standards Council has specified 12 PCI DSS requirements participating businesses must fulfill to ensure that correct measures are taken to secure all data, both internally- and externally-facing. The Council s official documentation (Navigating PCI DSS: Understanding the Intent of the Requirements, v1.2 October 20086)includes detailed guidance for merchants, service providers and financial institutions on the intent and specific meanings behind each requirement to secure cardholder data.
4In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA s individual transaction volume to determine the validation level. SOURCE: Compliance Resource Kit
5Merchant Levels Defined, MasterCard Worldwide, 2010.
6Navigating PCI DSS: Understanding the Intent of the Requirements, PCI Security Standards Council.
In turn, all requirements are grouped into six main categories:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
To satisfy the PCI requirements, small- and medium-sized businesses must also complete the following steps:
1.Identify the SAQ Validation Type as defined by PCI DSS. This is used to determine which Self Assessment Questionnaire is appropriate for your business. (Note: This does not correlate to your merchant or risk level)
Card-not-present (e-commerce or mail/telephone-order) merchants, all
cardholder data functions outsourced. This would never apply to face-to-
Imprint-only merchants with no electronic cardholder data storage
Stand-alone terminal merchants, no electronic cardholder data storage
Merchants with POS systems connected to the Internet, no electronic
cardholder data storage
All other merchants (not included in Types 1-4 above) and all service
providers defined by a payment brand as eligible to complete an SAQ.7
7 Navigating PCI DSS: Understanding the Intent of the Requirements, PCI Security Standards Council.
2.Complete the Self-Assessment Questionnaire according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines.
3.If applicable complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Scanning is only required for Validation Types 4 and 5 those merchants with external-facing IP addresses. A quarterly scan by ASV is also required if you electronically store cardholder information or if your processing systems have any internet connectivity. View qualified QSAs and ASVs.
Secure Cardholder Data Environment
Maintaining and monitoring a secure cardholder data environment is essential to PCI compliance. PCI DSS requirements apply to
all system components within or connected to this environment, possessing cardholder data or sensitive authentication data. Key considerations include network components that can include firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Traditionally, hackers exposed the vulnerability of the physical website. Networks now assume a much larger role in the storage and transfer of payment card transactions. A secure network can prevent hackers from accessing vital cardholder data.
The rule of thumb: If you don t know the identity of the network or host attempting to access your network, disallow them. Also prohibit direct public access between the internet and any system component in the cardholder data environment. (Requirement 1)
There are many server types, including web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Developing a vulnerability management program
is key in identifying how various types of servers interact differently with networks, finding the weaknesses, and creating a security procedure for each one. Applications, including internal and external (Internet) applications, pose some of the largest vulnerabilities, susceptible to cross site scripting (XSS), SQL Injection, Malicious File Execution, and many others.
In addition, adequate network segmentation, which isolates systems that store, process, or transmit cardholder data, may reduce the scope of the cardholder data environment. A Qualified Security Assessor (QSA) can assist in identifying a range of options within an entity s cardholder data environment along with guidance about how to narrow the scope of a PCI DSS assessment by implementing proper network segmentation.
PCI Security Scanning
Network security scans provide merchants and service providers with critical information concerning their network system as part of a comprehensive vulnerability management program. Any merchant electronically storing cardholder data post authorization, or processing systems that have any Internet connectivity, must have a quarterly scan conducted by a PCI SSC Approved Scanning Vendor (ASV).
PCI approved scans involve either an automated tool or manual analysis that checks a merchant s or service provider s systems for vulnerabilities on networks and web applications based on the external- facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan will identify misconfigurations of Web sites, applications and IT infrastructures as well as vulnerabilities in operating systems, services, and devices that could be used by hackers to target a company s private network. Scan results also provide knowledge that assists with efficient patch management and other security measures to rectify problems and improve protection against future Internet attacks.
Finding a PCI DSS Approved Scanning Vender (ASV)
To meet the quarterly network scanning requirements, merchants and service providers with a Level of 1, 2, 3, 4, must retain an ASV to facilitate the scanning. Any merchant or service provider with annual transactions totaling 10,000 or more is required to have a quarterly network system scan.
All scans must be conducted by an ASV and are required to conduct scans in accordance with the Technical and Operational Requirements for Approved Scanning Vendors (ASVs) 8 procedures.
Compliance reports must be submitted according to each card s different requirements. If the merchant level requires you to submit validation documentation, do not be late. Each payment brand has a built-in clause to impose non- validation fees to enforce evolving levels of validation. According to the PCI SCC, payment brands â€“ MasterCard, Visa, American Express, Discover, and JCB â€“ will continue to focus on compliance of the security standards.
Missed validation documentation fee schedule:
First Deadline(FD): $50,000 30 Days after FD: $150,000 60 Days after FD: $200,000
How do I meet PCI Compliance with Linux Hosts Inc. and Linux Hosts Ltd.?
The following answers were provided by Shawn Hashmi, Director of Operations and PCI DSS expert. With over five years of industry experience, he provides leadership and direction to the data centers of Linux Hosts Inc. and Linux Hosts Ltd..
8 Version 1.1, Payment Card Industry (PCI) Data Security Standard: Technical and Operational Requirements for Approved Scanning Vendors (ASVs), PCI Security Standards Council, September 2006.
What can Linux Hosts Inc. and Linux Hosts Ltd. offer customers seeking PCI Compliance?
Shawn: We offer arguably the most difficult piece of PCI compliance: a secure cardholder data environment. All servers requiring PCI compliance will be placed in a separate PCI-compliant space requiring key card access in and out of the area and will be restricted to authorized personnel. Network and firewall access will be restricted solely to the customer.
How long did it take Linux Hosts Inc. and Linux Hosts Ltd. to create a PCI compliant environment in its datacenter?
Shawn: Linux Hosts Inc. and Linux Hosts Ltd. have been moving toward creating a secure PCI cardholder data environment to meet the needs of our clients since its founding in August 2009.
Are there any other additional steps in the PCI Certification Process that Linux Hosts Inc. and Linux Hosts Ltd. can assist our clients with?
Shawn: The Requirements and Security Assessment Procedures set forth by the Payment Card Industry are detailed, and range from maintaining a secure network to developing security policies and testing them on a regular basis. In addition to the secure environment, Linux Hosts Inc. and Linux Hosts Ltd. can offer our clients an application firewall which will help with compliance of one of the PCI Standards. Linux Hosts Inc. and Linux Hosts Ltd. is not a certified QSA (Qualified Security Assessor) or an ASV (Approved Scanning Vendor), but we want to do our best to help educate, inform and guide our clients to grow.
Selected terms used in PCI compliance. For a more complete list of definitions, see PCI Data Security Standard and Payment Application Data Security Standard: Glossary of Terms, Abbreviations, and Acronyms9.
Acquirer: Also referred to as acquiring bank or acquiring financial institution. Entity that initiates and maintains relationships with merchants for the acceptance of payment cards.
ASV: Acronym for Approved Scanning Vendor. Company approved by the PCI SSC to conduct external vulnerability scanning services.
Merchant: For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.
PCI DSS: Acronym for Data Security Standard and also referred to as PCI DSS.
PCI SCC: Acronym for Security Standards Council. An open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.
SAQ: Acronym for Self-Assessment Questionnaire. Tool used by any entity to validate its own compliance with the PCI DSS.
9 PCI Data Security Standard and Payment Application Data Security Standard: Glossary of Terms, Abbreviations, and Acronyms, Version 1.2, October 2008.
Service Provider: Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include hosting providers, payment gateways, etc.
With this uniform standard for compliance, an increasing number of organizations have started to comply or audit in certain areas. Yet overall compliance numbers vary according to the merchant level. From data collected by Visa 11 , in 2006 only 18 percent of Level 1 merchants merchants with 6 million or more Visa transactions per year were compliant with PCI DSS, compared to 35 percent PCI compliant in 2007. Of Level 2 merchants, only 26 percent are PCI compliant at this time, but Level 3 merchants merchants with Visa or MasterCard transactions totaling 20,000 to 1 million have a higher level of compliance at 51 percent.
The liabilities and risks in not pursuing PCI compliance for your business have proven to be greater than ever. Credit card companies and acquirer banks can impose large fines and even remove the merchant s ability to process credit card transactions until the merchant is PCI compliant. The costs associated with attaining PCI compliance, nonetheless, are minimal compared to those incurred when personal data is stolen.
PCI compliance is clearly a new frontier for many businesses and not to be taken lightly. The rewards of following these requirements and guidelines do overwhelmingly outweigh the risks of security breaches, lost revenue, customer migrations and worse. Take advantage of the many resources, tools, and expertise available to take your business PCI compliant. Then reap the benefits of a secure, confident ecommerce experience for your customers.
About PCI Compliance- History
The Real Cost of Data Breach , PCI Compliance Guide (Cited 2/11/2010) http://www.pcicomplianceguide.org/merchants-20090416-cost-data-breach.php
Five Common Myths Debunked, PCI Compliance Guide (Cited 2/11/2010) http://www.pcicomplianceguide.org/merchants-20080930-five-common-myths.php
What Is PCI Compliance And Should Merchants Be Concerned About It? (Cited 2/11/2010) http://www.practicalecommerce.com/articles/629-What-Is-PCI-Compliance-And-Should-Merchants-Be- Concerned-About-It-
Privacy Rights Clearinghouse (Cited 2/11/2010)
11 PCI DSS: 5 Guidelines for Gaining PCI Compliance.
Individual Payment Card Company Policies
American Express: www.americanexpress.com/datasecurity
Discover Financial Services: www.discovernetwork.com/fraudsecurity/disc.html
JCB International: www.jcb-global.com/english/pci/index.html
MasterCard Worldwide: www.mastercard.com/sdp
Visa Inc: www.visa.com/cisp
PCI Compliance Guide: A Five Step Guide for Gaining PCI Compliance (Cited 2/11/2010) http://www.pcicomplianceguide.org/merchants-20071022-gaining-pci-compliance.php
Navigating PCI DSS: Understanding the Intent of the Requirements, (Cited 2/11/2010) https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_navigating_dss.pdf
PCI Security Standards Council (Cited 2/11/2010) https://www.pcisecuritystandards.org/index.shtml
Quick Reference Guide: https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf Lifecycle: https://www.pcisecuritystandards.org/pdfs/OS_PCI_Lifecycle.pdf
Compliance Resource Kit (Cited 2/11/2010)
About Linux Hosts Inc. and Linux Hosts Ltd.
Specializing in shared, VPS, dedicated and managed hosting services for small-to-mid-sized businesses, Linux Hosts Inc. and Linux Hosts Ltd. offers advanced email, eCommerce, security and networking solutions. This includes a full line of high- performance WindowsÂ® and Linux servers as well as EVault Backup, Pinnacle Shopping Cart, and more.
All Linux Hosts Inc. and Linux Hosts Ltd. products are backed by secure data centers, live 24/7/365 U.S. and UK based support and a seasoned staff with international experience in the hosting business for over 15 years. An industry innovator, Linux Hosts Inc. and Linux Hosts Ltd. recently launched its Linux Hosts Inc. and Linux Hosts Ltd. Rewards program and the Green with Linux Hosts Inc. and Linux Hosts Ltd. Initiative, powering 100% of its dedicated server and managed hosting operations through renewable energy credits. For more information about Linux Hosts Inc. and Linux Hosts Ltd., please visit our Homepage.