educational

PCI Compliance

PCI-DSS may sound like just another geek acronym, but everyone who takes electronic payments over the Internet has good reason to know what it is — and should only deal with payment processors who can state their compliance to this important security standard. PCI-DSS stands for payment card industry data security standard, and is a set of security principles established to protect credit card payment processing and all the sensitive information associated with it.

The requirements consist of six major security controls categories. They are:

1. Build and maintain a secure network by using a firewall and eliminating vendor supplied passwords.
2. Protect cardholder data by protecting stored credit card data thru encryption and data retention policies.
3. Maintain a vulnerability management program by use of anti-virus software and security development of systems and applications including the use of change control.
4. Implement strong access control measures by restricting logical and physical access to cardholder data.
5. Regularly monitor and test networks by use of logging tools, intrusion detection, file-integrity monitoring tools and regular penetration testing.
6. Maintain an information security policy by having a formal corporate policy that addresses information security.

These requirements address enterprise security for payment card processing and are currently managed by the PCI-DSS Security Council, a consortium made up of representatives from the major payment cards. The standard can be found at the council’s website, www.pcisecuritystandards.org.

A quick glance at the security standard will reveal that it covers everything from physical security to wireless security and all potential methods of compromise of card data. A quick review of news stories on the same topics indicates that each of these areas have been methods of successful compromises in the past.

Even though at first glance this may appear to be an overbearing list of requirements, many firms find that their current practices are close to being inline with the regulations. Though if it is otherwise, there are plenty of firms out there that can provide direction in order to come into compliance.

The goal of PCI-DSS was targeted to provide a safer environment for online payment card processing, though of course the underlying goal was to encourage more online credit card usage by instilling confidence to the consumer over the security/safety of online payments.

One of the obvious drivers was the growing fraud in online processing.

Following the old adage “Why rob the bank? Because that’s where the money is,” it was soon recognized that the growth of online payments was a treasure trove of financial information, that initially wasn’t always treated with the security it deserved, and soon became an easy target for online hacking. One site even emerged just to count the number of instances and records of known compromises of both online and physical data leakage PrivacyRights.org.

What was seen in the hacking cases initially were attacks against the large processors in hopes of obtaining large amounts of data in one location or processor; but as the larger processors adopted the PCI standard and therefore became more secure, the hacker community began moving down the food chain to the smaller and possibly less protected processors. This is why no one can “play the ostrich“ and believe they are too small to be a target, as anyone who has card data can become a potential target.

For large merchants, certification requires an initial self assessment of their enterprise, or a 3rd party assessment to the established standard. Once this is complete they must submit to a qualified security assessor (QSA) who will certify the compliance of the entity. This then gets submitted to the PCI organization and recorded. Upon confirmation of compliance, the processor can post their compliance with the PCI DSS standard. A list of compliant processors is available by region. For the U.S. the standard is known as PCI. The foreign version is called AIS for account information security. You can find the lists of PCI/AIS compliant companies at the Visa USA website, from Visa Europe and from Visa Asia Pacific.

So why is it important to only deal with processors who are PCI compliant?

By meeting this compliance standard, merchants dealing with the processor should have some degree of confidence that the customer data submitted to the processor will be treated with a commensurate level of security (the fewer times you lose your customer data, the better). The last thing a merchant wants is to be associated with an online hack of customer data, and given the new privacy laws in many states, data compromises of personal information must now be publically announced to the consumer when they occur (California was one of the first to enact such a law, known as SB 1836).

Additionally it should be noted that while you may have already achieved or are working with a PCI compliant processor, it is not a onetime exercise. The following recurring aspects need to be exercised in order to main compliance:

  • There are annual reviews – PCI compliance ROC.
  • Semi-annual – review server configuration standards.
  • Quarterly – vulnerability scanning.
  • Quarterly – access control review.
  • Daily – logging audit trails.

As an online merchant, PCI should no longer be just another acronym, but something that should be kept in mind for all your online payment processing. Maximizing your profits (and keeping them), as well as maintaining a high recurring customer base (hacked customers usually don’t return in droves), go hand-in-hand with PCI security.

As a 20 year veteran of Internet security, this author has long realized it’s a case of “us against them,” and for job security, can easily say, this threat is not going away anytime soon.

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

To Cloud or Not to Cloud, That Is the Question

Let’s be honest. It just sounds way cooler to say your business is “in the cloud,” right? Buzzwords make everything sound chic and relevant. In fact, someone uninformed might even assume that any hosting that is not in the cloud is inferior. So what’s the truth?

Brad Mitchell ·
opinion

Upcoming Visa Price Changes to Registration, Transaction Fees

Visa is updating its fee structure. Effective April 1, both the card brand’s initial nonrefundable application fee and annual renewal fee will increase from $500 to $950. Visa is also introducing a fee of 10 cents for each transaction, and 10 basis points — 0.1% — on the payment volume of certain merchant accounts.

Jonathan Corona ·
opinion

Unpacking the New Digital Services Act

Do you hear the word “regulation” and get nervous? When it comes to the EU’s Digital Services Act (DSA), you shouldn’t worry. If you’re complying with the most up-to-date card brand regulations, you can breathe a sigh of relief.

Cathy Beardsley ·
opinion

The Perils of Relying on ChatGPT for Legal Advice

It surprised me how many people admitted that they had used ChatGPT or similar services either to draft legal documents or to provide legal advice. “Surprised” is probably an understatement of my reaction to learning about this, as “horrified” more accurately describes my emotional response.

Corey D. Silverstein ·
profile

WIA Profile: Holly Randall

If you’re one of the many regular listeners to Holly Randall’s celebrated podcast, you are already familiar with her charming intro spiel: “Hi, I’m Holly Randall and welcome to my podcast, ‘Holly Randall Unfiltered.’ This is the show about sex, the adult industry and the people in it.

Women In Adult ·
trends

What's Hot Now: Leading Content Players on Trending Genres, Monetization Strategies

The juggernaut creator economy hurtles along, fueled by ever-ascendant demand for personality-based authenticity and intimacy — yet any reports of the demise of the traditional paysite are greatly exaggerated.

Alejandro Freixes ·
opinion

An Ethical Approach to Global Tech Staffing

One thing my 24-year career as a technologist working to support the online adult entertainment industry has taught me about is the power of global staffing. Without a doubt, I have achieved significantly more business success as a direct result of hiring abroad.

Brad Mitchell ·
opinion

Finding the Right Payment Partner

Whenever I am talking with businesses that are just getting started, one particular question comes up a lot: “How do I get a merchant account?” It’s a simple question, but it has a complicated answer.

Jonathan Corona ·
opinion

The Taxman Cometh for Every Business

February may be the month of romance, but it is also a time when we need to think about something that inspires very little love: taxes. April is not far away, and the taxman is always waiting. This year, federal and most state income taxes are due Monday, April 15.

Cathy Beardsley ·
opinion

The Continuous Journey of Legal Compliance in Adult

The adult entertainment industry is teeming with opportunity but is also fraught with challenges, from anticipating consumer behavior to keeping up with technological innovation. The most labyrinthine of all challenges, however, is the world of legal compliance.

Corey D. Silverstein ·
Show More