Visa and MasterCard mandated PCI compliance as of Jan 1, 2008. I would like to get a feel or opinion on this subject. What do you know about it? And do you know the penalties asscoiatied with a compromise of credit card information?
Answers (4)
PCI establishes security standards (DSS) for business that store, process or transmit customers' credit card numbers. See the resources identified for links to the published standards.
PCI establishes breaks down merchants into 4 levels. These levels determine compliance reporting, system scanning, and penetration testing requirements. Visa sets these levels as the following
-Level 1: processes 6M Visa transactions per yr or has suffered a data breach resulting in a data compromise *All Channels
-Level 2: processes 1M to 6M trans per yr. *All Channels
-Level 3: processes 20K to 1M e-commerce trans per yr.
-Level 4: processes <20K e-commerce trans per year and all other merchants, regardless of channel, processing up to 1M trans per year.
Penalties can vary for non-compliance.
Links:
Raj S.
Director-R&D Competency at Huawei India R&D Center
Best Answers in: Project Management (5), Quality Management and Standards (4), Hotels (1), Business Analytics (1), Change Management (1), Organizational Development (1)
Raj S. suggests this expert on this topic:
I Recommend Mrs. Meenakshi Chopra as an expert in the area of PCI audit
Lynn W.
virtualization since Jan68, online at home since Mar70
Best Answers in: Financial Regulation (5), Information Security (5), Economics (4), Government Policy (3), Equity Markets (3), Risk Management (2), Blogging (2), Enterprise Software (2), Budgeting (1), Mergers and Acquisitions (1), Sales Techniques (1), Planning (1), Bond Markets (1), Derivatives Markets (1), Hedge Funds (1), Career Management (1), Computer Networking (1), Information Storage (1), Telecommunications (1), Web Development (1)
a couple recent references that have appeared in answers to similar question
Payment Application Data Security Standard (PA-DSS)
https://www.pcisecuritystandards.org/tech/pa-dss.htm
PCI Compliance gets clarified and neutered (further)
http://blogs.zdnet.com/security/?p=1035
Links:
- https://www.pcisecuritystandards.org/tech/pa-dss.htm
- http://blogs.zdnet.com/security/?p=1035
- http://www.garlic.com/~lynn/subintegrity.html#fraud
Clarification added April 26, 2008:
one of the issues is this old post about security proportional to risk:
http://www.garlic.com/~lynn/2001h.html#61
and kindergarten security 101
basically an issue with crooks attacking merchant systems to harvest previous transaction information is they can potentially outspend the merchants 100-to-1. The value of the information to the merchant is basic some part of the net profit on each transaction. The value of the information to the attacker is basically the aggregate balance and/or credit limit of each account. This two values can differ by two orders of magnitude (a factor of 100 times). As a result, the crooks attacking the system may be able to outspend the merchant defending against the attack by a factor of 100 times.
In the mid-90s, the x9a10 financial standard working group had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments. The huge disparity in the difference of the value of the information to the attackers and the defenders was one of the considerations that went into the x9.59 financial standard
http://www.garlic.com/~lynn/x959.html#x959
Instead of hiding the information from the attackers, one of the things that x9.59 did was to make the information useless to the attackers. Whether or not the attackers could extract the information from merchant systems was not dealt with in the x9.59 standard. However, x9.59 change the paradigm so that if crooks did obtain the information, they wouldn't be able to use it for fraudulent transactions.
Clarification added April 27, 2008:
large number of past posts related to breaches involving financial information
http://www.garlic.com/~lynn/subintegrity.html#fraud
we had been brought in to help word smith the cal. state electronic signature legislation (and later the federal legislation). turns out that other parties involved in the legislation were also involved in various privacy issues. they had done detailed consumer privacy surveys and had come up with the two most important privacy related items for consumers:
1) identity theft ... mostly subcategory account fraud related to breaches of financial information that subsequently enabled fraudulent transactions
2) denial of service ... mostly various organizations, institutions, and/or agencies making some determination to the detriment of the individual based on private personal information.
Item #1 was in large part motivation behind various breach legislation, in part because it had been very prevalent but was getting little attention. This was analogous, but different to the efforts in X9.59 ... which instead of establishing standards for protecting the information and/or requiring notification when the information was compromised .... eliminated the associated vulnerabilities and fraud that could happen when there were breaches.
Al M.
Volunteer Consultant at Haiti Earthquake Disaster Relief & News
Best Answers in: Using LinkedIn (26), Government Policy (9), Computers and Software (9), Enterprise Software (6), Information Security (6), Software Development (6), Auditing (5), Business Development (5), Economics (4), Risk Management (4), Government Services (4), Property Law (4), Computer Networking (4), Accounting (3), Financial Regulation (3), Internationalization and Localization (3), Criminal Law (3), Corporate Law (3), Project Management (3), Supply Chain Management (3), Customer Service (2), Regulation and Compliance (2), Education and Schools (2), Occupational Training (2), Compensation and Benefits (2), Employment and Labor Law (2), Tax Law (2), Internet Marketing (2), Manufacturing (2), Distribution (2), Ethics (2), Telecommunications (2), Commercial Real Estate (1), Purchasing (1), Hotels (1), Travel Tools (1), Job Search (1), Foreign Investment (1), Public Funding (1), Mergers and Acquisitions (1), Staffing and Recruiting (1), Environmental Health (1), Public Health and Safety (1), Work-life Balance (1), Exporting/Importing (1), International Law (1), Offshoring and Outsourcing (1), Intellectual Property (1), Advertising (1), Events Marketing (1), Viral Marketing (1), Customer Relationship Management (1), Sales Techniques (1), Corporate Governance (1), Organizational Development (1), Commodity Markets (1), Equity Markets (1), Nonprofit Fundraising (1), Quality Management and Standards (1), Individual Insurance (1), Personal Debt Management (1), Market Research and Definition (1), Positioning (1), Professional Books and Resources (1), Professional Networking (1), Business Plans (1), Small Business (1), Energy and Development (1), E-Commerce (1), Information Storage (1), Wireless (1)
Opinion ... put yourself in the shoes of the millions of people who are victims of identity theft and other financial fraud because someone stole their credit card info, or social security #, or whatever, because some business enterprise that they did business with did not properly secure that info. Your biggest nightmare will be when they find out the fraud was because your company did not properly safeguard this info.
If your business does not have customers buying via credit card, then you don't have to sweat it. If it does, then you better get things right with your computer systems, and business contract law, or you could be on the road to either ruin, or millions of dollars lost in law suits and loss of public confidence after you get breached.
PCI is not just a set of security standards, it is also a legal minefield. Each credit card company has rules involving the PCI standard plus their rules on top of that. All of this is a MINIMUM security goal, that a business needs to be better at. The recent Hannaford breach involved a company that was certified as meeting this minimum standard on the same day that the breach began.
In other words, the security inspectors were at the Hannaford company on the exact same day that the criminals were installing their deal to intercept all the credit card info flowing through the company.
Banks that issue credit cards have to have contracts with the crediti card companies that promise they will uphold the standards. Banks then pass the buck to handle the security ciertification, and paperwork, and transactions to other companies. If they drop the ball, and the bank did not pass responsibility onto them in contract, then the bank is on the hook.
Each company in turn that accepts payment by credit card is bound by the rules passed down via credit card companies through the banks. If you try to isntall PCI without knowing what you doing, without training the computer staff, without putting the right language in your contracts with vendors, you can't blame them for not doing their job right, the responsibility is yours.
Several companies, after being breached, suied for millions of $ because of it, have tried to sue their computer suppliers and lost. It is your responsibility to know if the computer stuff you buy meets the standards you are legally obligated to sustain. If there is nothing in your contract with your vendors about needing to meet PCI or any other standard, then they have zero obligation to supply you with a product or service that does that job properly.
This includes auditors. Many many breaches have occurred because some company turns over their info to some auditing firm, which puts it on a laptop, then has the laptop stolen. You can't get the audit firm to reimburse you the millions of dollars in damages resulting from this, unless your contract with the auditors firm included provision for THEIR insurance to cover such an eventuality.
Also check your business insurance. Just as home owner insurance usually does not include earthquake and flood, business insurance does not normally cover disruption due to computer problems, unless you get a special rider for that. There are maybe 10 insurance companies in the USA that insurae companies against computer screwups. Maybe you should check into that also.
Links:
Al M. also suggests this expert on this topic:
Clarification added April 26, 2008:
The web site gives much more detail on this topic, including links to the PCI stnadad itself, additional rules by various creidt card comapnies, what laws on top of this.
In the section with the heading "PCI as the standard of care for a negligent security suit" there is a link to exactly what went wrong in the TJX MaxX case. It would seem like the company was totally ignorant of its responsibilities to the public.
If you are ignorant of this PCI stuff, then you have no business operating a business that accepts payments from customers by credit card, personal check, electronic funds transfer, or any other approach that has any information that identifies the customer in a manner that could lead to financial fraud against them, if that information got breached.
