PCI Compliance

Payment Card Industry compliance was introduced as an additional security layer to organisations accepting card payments. Each major credit card provider introduced their own protocol that set out a set of guidelines for organisation accepting credit card payments. This additional security level would help reduce the amount of fraudulent transactions and other vulnerabilities associated with accepting card payment online. Visa introduced their Cardholders Information Security Program (CISP), MasterCard introduced the Site Data Protection (SDP), American Express introduced the Card Information Security Program, Discover introduced the Information and Compliance and JCB introduced the Data Security Program. Each of these security protocols where generally the equivalent. On the 5th of December 2004, the Payment Card Industry Security Standards Councils was created. This organisation was founded by the credit card companies in order to provide one standard of credit card security that would “enhance payment account data security” ( PCI Security Standards Councils ). This standard would be known as the Payment Industry Data Security Standards (PCI DSS). The Payment Industry Data Security Standards will apply to any organisations that are processing, storing or transmitting card (credit or debit) details. If an organisation chooses to disregard the PCI compliance they risk loosing the ability to accept card details online and/or be fined. At the beginning of 2007, TJ Maxx companies reported that hackers had accessed customer transaction data from credit cards, debit card, cheques and return transactions. The breach has cost TJ Maxx around 256 million dollars. PCI compliance version 1.1 specifies that an organisation processing, storing or transmitting card details must: 1. Build and maintain a secure network 2. Protect cardholders data 3. Maintain a vulnerability management program 4. Implement storing access control measures 5. Regularly monitor and test networks 6. Maintain an information security policy Detailed explanations of the above requirements are set out in more details at the PCI security standard organisation Achieving PCI compliance depends entirely on the amount of transactions an organisation or merchant will take per annum. If a merchant takes over six million transactions a year or the merchant’s data has been compromised previously would require an annual onsite security audit and quarterly security scan. A merchant who takes between 1million and 6million transitions is required to have a quarterly network security scan and fill out an annual self assessment questionnaire. Merchants taking between 20,000 and 1million transitions per annum require a quarterly scan by an approved PCI scanning vendor and an annual self assessment questionnaire. Finally, merchants who take less than 20,000 transactions per annum would be required to fill out an annual self assessment questionnaire. One way of accepting card payment’s on a site (e.g. eCommerce site) and not required to become PCI compliant would be to let the payment gateway take care of all the payments. For example, Protx the UK’s leading payment gateways offers numerous different ways of integration within a website. It offers a VSP direct method requires integration with the current site. It would enable a merchant to keep the customer on their own site throughout the whole buying process; however this option would require the need to become PCI compliance. Alternatively Protx offer a VSP form method. This method would redirect visitors to a Protx form that is not located within your website. The VSP form would not require PCI compliance as the merchant would not be storing, processing or transmitting card details; this would all be done by the payment gateway.

Leave a Reply

Your email address will not be published. Required fields are marked *