Home > Features > PCI Compliance • Bookmark   • Newsletters   • Register Search Options


PCI Compliance

PCI Compliance

May 27, 2010
Text size: 
View in Digital Mag
Get XBIZ News
XBIZ Research
Will virtual reality boost the paysite market?
Yes, it will soon
Yes, but in a few years
Out of 179 votes. Results based on votes submitted by members of XBIZ.net social network.

" No one can “play the ostrich“ and believe they are too small to be a target "

PCI-DSS may sound like just another geek acronym, but everyone who takes electronic payments over the Internet has good reason to know what it is — and should only deal with payment processors who can state their compliance to this important security standard. PCI-DSS stands for payment card industry data security standard, and is a set of security principles established to protect credit card payment processing and all the sensitive information associated with it.

The requirements consist of six major security controls categories. They are:

1. Build and maintain a secure network by using a firewall and eliminating vendor supplied passwords.
2. Protect cardholder data by protecting stored credit card data thru encryption and data retention policies.
3. Maintain a vulnerability management program by use of anti-virus software and security development of systems and applications including the use of change control.
4. Implement strong access control measures by restricting logical and physical access to cardholder data.
5. Regularly monitor and test networks by use of logging tools, intrusion detection, file-integrity monitoring tools and regular penetration testing.
6. Maintain an information security policy by having a formal corporate policy that addresses information security.

These requirements address enterprise security for payment card processing and are currently managed by the PCI-DSS Security Council, a consortium made up of representatives from the major payment cards. The standard can be found at the council’s website, www.pcisecuritystandards.org.

A quick glance at the security standard will reveal that it covers everything from physical security to wireless security and all potential methods of compromise of card data. A quick review of news stories on the same topics indicates that each of these areas have been methods of successful compromises in the past.

Even though at first glance this may appear to be an overbearing list of requirements, many firms find that their current practices are close to being inline with the regulations. Though if it is otherwise, there are plenty of firms out there that can provide direction in order to come into compliance.

The goal of PCI-DSS was targeted to provide a safer environment for online payment card processing, though of course the underlying goal was to encourage more online credit card usage by instilling confidence to the consumer over the security/safety of online payments.

One of the obvious drivers was the growing fraud in online processing.

Following the old adage “Why rob the bank? Because that’s where the money is,” it was soon recognized that the growth of online payments was a treasure trove of financial information, that initially wasn’t always treated with the security it deserved, and soon became an easy target for online hacking. One site even emerged just to count the number of instances and records of known compromises of both online and physical data leakage PrivacyRights.org.

What was seen in the hacking cases initially were attacks against the large processors in hopes of obtaining large amounts of data in one location or processor; but as the larger processors adopted the PCI standard and therefore became more secure, the hacker community began moving down the food chain to the smaller and possibly less protected processors. This is why no one can “play the ostrich“ and believe they are too small to be a target, as anyone who has card data can become a potential target.

For large merchants, certification requires an initial self assessment of their enterprise, or a 3rd party assessment to the established standard. Once this is complete they must submit to a qualified security assessor (QSA) who will certify the compliance of the entity. This then gets submitted to the PCI organization and recorded. Upon confirmation of compliance, the processor can post their compliance with the PCI DSS standard. A list of compliant processors is available by region. For the U.S. the standard is known as PCI. The foreign version is called AIS for account information security. You can find the lists of PCI/AIS compliant companies at the Visa USA website, from Visa Europe and from Visa Asia Pacific.

So why is it important to only deal with processors who are PCI compliant?

By meeting this compliance standard, merchants dealing with the processor should have some degree of confidence that the customer data submitted to the processor will be treated with a commensurate level of security (the fewer times you lose your customer data, the better). The last thing a merchant wants is to be associated with an online hack of customer data, and given the new privacy laws in many states, data compromises of personal information must now be publically announced to the consumer when they occur (California was one of the first to enact such a law, known as SB 1836).

Additionally it should be noted that while you may have already achieved or are working with a PCI compliant processor, it is not a onetime exercise. The following recurring aspects need to be exercised in order to main compliance:

  • There are annual reviews – PCI compliance ROC.
  • Semi-annual – review server configuration standards.
  • Quarterly – vulnerability scanning.
  • Quarterly – access control review.
  • Daily – logging audit trails.

As an online merchant, PCI should no longer be just another acronym, but something that should be kept in mind for all your online payment processing. Maximizing your profits (and keeping them), as well as maintaining a high recurring customer base (hacked customers usually don’t return in droves), go hand-in-hand with PCI security.

As a 20 year veteran of Internet security, this author has long realized it’s a case of “us against them,” and for job security, can easily say, this threat is not going away anytime soon.


Sex Toy Manufacturers Offer Predictions for 2017

In 2016, it was evident that the sex toys/pleasure products sector of the adult industry was thriving when Forbes Magazine quoted CalExotics President Susan Colvin as saying that it now “stands as... More »

Execs of 2016: Online Industry Businessmen Reveal Market Drivers

XBIZ World is pleased to present “Execs of 2016: The Year in Review” — a special showcase of the thoughts and strategies of 2016’s most influential and motivational leaders as they... More »

Execs of 2016: Online Industry Businesswomen Reveal Market Drivers

XBIZ World is pleased to present “Execs of 2016: The Year in Review” — a special showcase of the thoughts and strategies of 2016’s most influential and motivational leaders as they... More »
Stay informed of the latest industry developments. Get XBIZ newsletters delivered to your inbox. Subscribe today!
Enter email address:

* To manage existing subscriptions click here.

Submit your press release to
multiple news outlets with 1 click.
Subscribe to RSS news feeds or
add free content to your website.
Access XBIZ news and articles
with your mobile device.
Access the latest issues of the industry's leading trade publications in digital form. View online or download for offline viewing.


Everything To Do With Sex Show

Jan 20 - Jan 22
Montréal, Québec

Everything To Do With Sex Show

Jan 27 - Jan 29
Halifax, Nova Scotia

The European Summit

Mar 04 - Mar 07
Barcelona-Sitges, Spain

The TEA Show

Mar 05 - Mar 06
Hollywood, CA
Everyday thousands of business professionals browse XBIZ's industry directory for quality products and services. Not listed yet? Your company could be losing potential new business. Submit your company today!
Use XBIZ RSS feeds to stay informed of the latest industry developments or as a content syndication tool for your website!