PCI Compliance: Credit Card Security
April 1, 2010 | By Damon Armour, IT Security Officer, contributing writer
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard to protect credit card data from fraud and abuse. Initially, the large credit card firms (Visa, MasterCard, Discover, American Express, and JCB International) each had its own standards for its merchants and processors. In order to streamline and improve processes, the large credit card firms merged their policies to form the PCI DSS standard. The PCI standards are both technical and operation requirements. This creates the need for strong cooperation between the business users, auditors, and IT personnel.
PCI is made up of multiple standards. Those include: PCI DSS, which affects merchants such as ASU; PCI PA-DSS, which affects payment applications; and PCI PTS, which affects manufacturers of payment hardware. Who is required to follow PCI standards? According to the PCI SSC Quick Reference, “The standards apply to all organizations that store, process or transmit cardholder data”. The PCI standard further breaks down merchants by the amount of transactions that are processed.
• Level 1 – Greater than 6 million Visa and MC transactions
• Level 2 – Between 1 million and 6 million transactions
• Level 3 – Between 20,000 and 1 million e-commerce transactions annually
• Level 4 – Less than 20,000 e-commerce and all other merchants processing up to 1 million transactions annually.
The Merchant Levels each have different scales of security to maintain their level of compliance. Level 1 is the highest level due to the volume of transactions. ASU was classified as a Merchant 4 last year. What happens if an organization is not compliant with the PCI standards? The offending organization could face fines from the credit card industry or the acquiring bank (bank that processes your credit card transactions) of up to $500,000 per security breach. Credit card activity could also be suspended for the organization. The organization could be moved up to Merchant Level 1, if not already, and face the increased requirements. Lastly, the credibility/reputation of the organization could be damaged. The last affect, in many cases, is the most damaging in the long run.
July 1, 2010 is an important date for those organizations that accept credit card information. Payment Application Data Security Standard (PA-DSS) will come into effect. The potential impact of non-compliance of PA-DSS is the refusal by acquiring banks to accept transactions from applications that have not been verified as compliant by PCI. Imagine the impact to an organization’s business if they could no longer process credit cards. The key in staying compliant is to work with your payment application vendors on getting listed as a verified system and stay in communication with your acquiring bank on your compliance status.
ASU has been working on PCI compliance over the last few years with an increased focus this year to maintain our compliance with the new standards. If a department accepts credit cards on campus, you need to verify with your software/hardware vendors your PCI compliance status. There is a PCI Team on campus whose focus is ensuring our campus’ compliance level. If you have questions, reach out to Kathy Boyd (Management Control Analyst), firstname.lastname@example.org or Damon Armour (IT Security Officer), email@example.com for assistance.
PCI Council Homepage – https://www.pcisecuritystandards.org/index.shtml
PCI Quick Reference Guide – https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
PCI DSS Standard Documents – https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
PA-DSS Validated Application List – https://www.pcisecuritystandards.org/security_standards/vpa/