With the new standards, all merchants must be certified under the Payment Card Industry (PCI) Data Security Standards, which were developed by a consortium of major payment card companies.
The PCI standards, which specifically address wireless security, detail "lock down" procedures for data, including data housed by third parties and procedures on how a merchant's computer infrastructure should be configured, maintained and secured.
To receive certification under the standard, all merchants must meet the security requirements, which include:
— Installing and maintaining a firewall;
— Not using default passwords;
— Using strong protection for stored data; Implementing controls that restrict data access to a need-to-know basis;
— Assigning a unique identity authentication to each person accessing computer systems;
— Encrypting cardholder data transmitted over public networks;
— Not storing credit card verification codes;
— Installing and regularly updating anti-virus software;
— Developing and maintaining an information security policy;
— Restricting physical access to cardholder data;
— Monitoring and tracking network resources and cardholder data regularly; and,
— Testing security systems and processes frequently.
The rules affect adult and mainstream Internet companies that offer Visa International, JCB International Credit Card, Diners Club International, Discover, American Express and MasterCard International are part of the consortium. American Express, however, refuses to process online adult charges.
Companies that fail to comply will face fines and other penalties, which include, in some instances, being banned from processing transactions using payment cards.
With the new regulations, most online adult companies will be forced to buy automated compliance tester software. Qualys sells a package for under $500.
The new rules ramp up with large companies that process more than six million transactions a year. Those companies must conduct an annual on-site security audit, a quarterly network scan, and an annual self-assessment questionnaire.
Each card company has implemented its own program under the standard — Visa's is called Cardholder Information Security Program.
Most of the larger credit card companies’ data security programs have been in existence for several years, but it was optional. It became mandatory in 2003, but only for the largest merchants.
