Wednesday, February 17, 2010

PCI compliance: What it is and why it matters (Q&A)

"And if you're a merchant you really have to be careful because consumers are getting smarter and smarter and if they find out you are not protecting their data, credit card data or personal data, they're going to walk away. And that's going to be the downfall of your business." ~ Bob Russo, general manager of the PCI Security Standards Council.

Found this Gem of an article on CNET, if you are a merchant I urge you to read it in its entirety...C.S.G.

If you own a bank account or use credit cards, chances are you've heard the term "PCI compliant." But you probably don't know what it means.

The term is heard more and more frequently these days as data breaches at merchants like TJX, parent of TJMaxx, and payment processors Heartland Payment Systems and RBS WorldPay land millions of card records in the hands of hackers. Criminals are using the data to make purchases and withdraw money from accounts of unsuspecting victims who did nothing wrong; they just owned a card.

It's a huge and growing problem. More than 80 percent of data stolen in breaches is payment card data, according to the 2009 Verizon Business Data Breach Report.

CNET asked Bob Russo, general manager of the PCI Security Standards Council, to explain what is being done to keep criminals from accessing consumer payment card data.

Q: So, what does the PCI Security Standards Council do?

Russo: The council was formed in September 2006 by the five major credit card brands, Visa, MasterCard, American Express, Discover, and JCB [Japanese Credit Bureau]. It was formed because each one of the brands has their own compliance programs and they still do, but they all use this standard as the foundation for their programs. There was a time when you could pick up the phone and call one brand and ask a security question and get one answer and call another brand and ask the same question and get a different answer. They all now use these standards that we manage as the foundation for those compliance questions.

What is the standard exactly?

Russo: It's the PCI, which stands for Payment Card Industry, data security standard. It's a set of 12 specific requirements that cover six different goals. It's very prescriptive. It says not only that you need to be secure but it tells you how to become secure. It's more about security than compliance. The goals are things like build and maintain a secure network, protect card holder data and regularly monitor and test the networks. That's the main standard. We manage three different standards. The first one covers everything from the physical security to logical security.

The second standard is PADSS, Payment Application Data Security Standard. These are for payment applications a merchant would buy off the shelf. For example, if you went to a restaurant and you ordered your meal and the waiter used a touch-screen terminal, that puts the order in the kitchen and it's tied to an ordering database. The application also takes the credit card at the end of the meal. We make sure these applications aren't storing prohibitive data, such as data on the magnetic strip on the card. If they stored that data and someone got a hold of it then they would be able to clone credit cards. There are literally thousands of applications out there and when it's compliant with the standard it gets listed on our Web site.

The last piece we manage is called PTS, PIN Transaction System. Anytime you enter a PIN number, for example, this standard would take effect. It looks at those PIN entry devices so when you go to a large department store and you buy something and you use a debit card they'll hand you a PIN pad and you key in your number. We certify those devices as well as unattended payment terminals, such as those used at gas station [islands], ticket kiosks, and transit systems, like the Boston underground. Complete article at cnet


  1. Nice article! A lot of people have no idea how important it is to be very careful when it comes to their information.

    Scott M.

  2. That is a fact Scott. I talk to business owners everday that still would prefer to hide their head in the sand and pretend that the cyber boogie won't see them...