What You Should Know About PCI Vulnerability Standards

The topic of the PCI Vulnerability Standards has been all over the web over the last few years. By now we all pretty much know that PCI compliance is an obligation for all merchants that accept credit cards. But all the talk about PCI has brought up numerous questions as well.  I put together a list of some frequently asked questions to help everyone with some answers.

What exactly are the PCI Vulnerability Standards? The PCI vulnerability standards, usually referred to as PCI DSS (PCI data security standards), consist of 12 detailed requirements produced by the PCI council.  The PCI council consists of the five major credit card companies. The standards were created for the purpose of bringing forth a unified way for businesses to keep their customer’s private information safe and secure. It was put into place September of 2006.

Do the PCI standards apply to all businesses? Any business that accepts transmits or stores credit card information must meet the specifications of PCI compliance, no matter their size.  To put it more simply, if you accept credit cards at your place of business, then the PCI requirements must be followed.

What if we don’t accept credit cards, but we accept debit cards? PCI compliance still applies here.  The PCI standards must be followed by any organization accepting credit or debit cards, or pre paid cards.  Essentially, if you are accepting any kind of cards branded with a logo from one of the five major credit card companies – American Express, Discover, JCB, MasterCard, or Visa – you must be in compliance.

Where is a complete list of the PCI Vulnerability Standards? Check out the website https://www.pcisecuritystandards.org.

How is PCI scanning related to PCI compliance? According to the PCI council, in order to sustain proper PCI compliance, your business should undergo daily or quarterly PCI scans of your system.  An ASV, approved scanning vendor, should scan your system including things like your website, office internet connections, and more.  Basically anything that is connected to a public IP address.

What happens if I am not in compliance? Outrageous fines as high as $100,000 a month may be charged for violating PCI.  This can becatastrophic, especially to small businesses, so do not take this lightly.

This article may or may not have answered all your PCI related questions.  Above all just remember that the PCI vulnerability standards must be followed and if you still have questions, don’t hesitate to ask. There is a lot of information available and PCI compliance is very important.

What’s Wrong With The PCI DSS?

There has been a lot of criticism regarding companies following the PCI DSS as there only form of security. While it is important to have other options for security, following the PCI DSS does work!

clipped from www.tripwire.com There’s nothing wrong with PCI DSS that cannot be cured by following it I continue to hear comments that PCI DSS doesn’t work and that it should be modified or even eliminated. find it interesting that so much fault can be leveled at PCI DSS in light of the facts that Verizon Business puts forth in their 2009 Data Breach Investigations Report. Here are some of their findings after investigating data breaches that compromised 285 million records in 2008 alone:  81% of the victims were not PCI compliant The last point—81% of the victims were not PCI compliant—speaks volumes about the spirit, intent and effectiveness of PCI DSS …. if it is treated as security best practice and followed on a daily basis rather than treating it as a checklist that must be passed annually. Until each of the above percentages changes dramatically, I think PCI DSS should be seen as a good security best practice to follow continuously. Posted by Ed Rarick

PCI DSS Fines

Ok, so we all know about the PCI DSS (Payment Card Industry Data Security Standards) by now. But some of you may be wondering what the PCI DSS fines are if you do not become compliant. The fines can be pretty steep as I will explain below, but not only will you risk huge fines if you aren’t compliant, you are putting your security system and customer information at risk.

All businesses who store, transmit or process credit card data are required to follow the PCI DSS, and should have become PCI compliant by the end of 2007. If you are one of these businesses and are not yet compliant, you are constantly at risk of losing sensitive cardholder data, which will most likely result in PCI DSS fines, legal action and bad publicity. Organizations that fail to comply face fines of up to $500,000 if the data is lost or stolen and risk not being allowed to handle cardholder data.

High-status cases concerning big corporations have hit the headlines in the last couple of years. The Payment Card Industry has threatened huge fines against some larger merchants of up to $25,000 per month until compliance is obtained. In the high-profile case of TJX (owner of T.J. Maxx, Marshalls, Home Goods and A.J. Wright retail chains), the company reported spending $202 million because of the PCI violation that compromised the cardholder account information of as many as 40 million customers. The money is being spent to handle more 20 lawsuits brought against it by banks and consumers in the U.S. and Canada and to pay settlements with credit-card associations.

So don’t risk it. If you are not yet PCI compliant get there now. It is not as hard as it may seem, and well worth the time and money you put into it. If you don’t want to risk those pesky PCI DSS fines, you know what to do!

Vulnerability Assessments?

You may have heard the term “vulnerability assessment, but aren’t quite sure what it means. You are not alone. I ran into this term a few times in my research and wasn’t quite sure what to think, so I decided to find out what exactly a vulnerability assessment is, and how it relates to PCI compliance.

These days, the risk of threats on the internet has become increasingly worrisome. The rising cleverness of intruder attacks using vulnerabilities found in online networks and applications has made it crucial for businesses to assess their network on a regular basis. This is where a vulnerability assessment comes in. A vulnerability assessment works hand in hand with PCI scanning to accurately scan web applications, databases, networks, operating systems and other software to find threats and assess the risk to the business. In a nutshell, running these PCI scans (sometimes referred to as vulnerability scans) help to reveal any areas in your network that are weak or prone to attack. Then you will be able to make any changes needed to your network to ensure that your business and customers are safe.

As with anything, it is important to realize that using vulnerability scanning alone, is not entirely fail-safe. As a business, you can combine the use of vulnerability scanning along with other means of website protection to ensure the security of your business and customers. Also, you should be aware, that not all vulnerability or PCI scanners are the same, so you really should do some research and make sure that you are using an approved scanning vendor (aka ASV), that will do the best job for you.

A company that I have found to be very helpful in all my research is Trust Guard. They offer a lot of information on a vulnerability assessment and vulnerability scanning. Check it out, and ensure that your business is protected.

The PCI Security Standards Council

I have been talking about the PCI Security Standards a lot in my posts. I have gone into a lot of detail about what the PCI Security Standards are, but I thought it might be helpful to let you know where they come from. In doing all my research one of my main sources has been the PCI Security Standards Council’s website (found at https://www.pcisecuritystandards.org/). They are kind of the main resource and enforcer of PCI compliance and PCI scanning. I thought it might be helpful to everyone to let you know a great place to find out more information about the PCI Security Standards.

The PCI Security Standards Council’s goal is to improve security for payment card accounts by bringing more education and awareness of the PCI Security Standards to merchants and businesses around the world. The PCI Security Standards Council was founded by the five major credit card companies American Express, Discover, JCB International, MasterCard, and Visa.

To give you some idea of how the PCI Security Standards Council runs on a daily basis, I have included some information about the different areas of the council. The PCI Security Standards Council is headed by a policy-setting Executive Committee, consisting of representatives from the five founding payment brands. Operational decisions are made by a Management Committee, as well as from the payment brands. An Advisory Board, drawn from participating organizations, offers input to the organization and feedback on the progress of the PCI Data Security Standards. A Marketing Working Group, Technical Working Group, and a Legal Committee, whose participants are drawn from the payment brands, deal with their respective activities.

So if you are ready to make your business PCI compliant, reading about the PCI Security Standards Council is a great place to start. You can find a lot of great useful resources and information on their site to help you know what you need to do.

Are you PCI Compliant?

What does it mean to be PCI compliant? Many people find the subject confusing and overwhelming. Nevertheless, PCI compliance is super important. It used to be optional for smaller businesses, but with hackers becoming more clever and bold, it is required for all merchants who process credit card transactions no matter how few, to become PCI compliant.

Not only is it important for businesses to be PCI compliant, but it is important that they become PCI compliant as quickly as possible, in order to respond to the increasing concern of credit cardholders about their security. Here a few steps to follow in order to get you started with PCI compliance.

First, determine your merchant level. All merchants fall into one of four levels as defined by the number of transactions the business processes over a year. For example, a level 4 merchant is classified as a business that processes fewer than 20,000 transactions per year, and is the most common small business merchant level. Once you know your merchant level, you will know more about exactly what is required of you.

Next, you should complete the PCI DSS Self Assessment Questionnaire (SAQ). The SAQ is a tool used to assist merchants and service providers in evaluating their compliance.

Finally, you should appoint a qualified vendor to perform the required network scans of your system in order to check for vulnerabilities. This is known as PCI scanning, and Trust Guard now offers this. I have found that they are really affordable compared to other companies, and not only that, they also offer third party verification and trust seals.

These are just a few of the steps you can take to get started with your PCI compliance. You will want to check with your acquirer or bank in order to find out more specific things you should do to become PCI compliant. It is super important, and will probably even attract more customers to your website as they will know that their information is safe. You can’t lose!