• No results found

Payment Card Industry Data Security Standards

N/A
N/A
Protected

Academic year: 2021

Share "Payment Card Industry Data Security Standards"

Copied!
14
0
0

Loading.... (view fulltext now)

Full text

(1)

Copyright © 2011 Holland & Knight LLP All Rights Reserved

Payment Card Industry

Data Security Standards

January 19, 2011

(2)
(3)

3

PCI Standards Generally

• The Payment Card Industry Data Security Standards (or “PCI

standards” or “PCI DSS”) are industry standards promulgated

by the major credit card brands that are a baseline of important

security controls to safeguard sensitive cardholder data.

• The PCI DSS apply to all entities that store, process, and/or

transmit cardholder data: “If you are a merchant who accepts or

processes payment cards, you must comply with the PCI DSS.”

• The PCI Security Standards Council writes and updates the PCI

(4)

PCI Standards Generally

• The PCI DSS are not law.

• Rather, they are industry standards promulgated under contract

by a council of the major credit card payment brands to regulate

their member acquiring banks, who in turn are responsible for

ensuring that merchants and businesses, for whom they process

transactions, conform to the standards.

– But see S.B.227 (Nev. 2009), amending Nev. Rev. Stat. §603A. The Nevada law, among other things, mandates Nevada businesses to

(5)

5

PCI Standards Generally

• The PCI standards are a comprehensive set of 12 data security requirements imposed on all entities that process, store or transmit certain sensitive “cardholder data,” comprising merchants, banks and credit card transaction processors.

(6)

Credit Card Transactions

• Generally speaking, every time a cardholder uses a credit card to pay a merchant for goods or services, the issuing bank, acquiring bank and

merchant must interact to process and complete the transaction. Simply put, an “acquiring bank” is a bank that processes credit card transactions on

behalf of merchants, as opposed to an “issuing bank,” which issues credit cards to consumers.

• After the merchant’s computer scanners “read” the cardholder information contained in the magnetic strip, the merchant then sends the pertinent

account information through the network to the issuing bank. The issuing bank reviews the cardholder information and, assuming the card is valid with sufficient available credit, it authorizes the transaction.

(7)

7

Credit Card Transactions - Risks

• As the cardholder information is transmitted to and from the merchant over the Internet or wireless network, there are security risks.

• Cyber-thieves could potentially intercept the transmission and steal sensitive card information, which is why the PCI standards require encryption for card information transmitted over public networks.

– Sensitive information might include full magnetic-stripe data, CAV2/CVC2 (or other validation codes), or PINs and PIN blocks (a block of data used to encapsulate a PIN during processing), all of which are used to authenticate cardholders and authorize card transactions.

• In addition, criminals could also use malware to infiltrate the merchant’s own computer systems and steal consumer information; hence, the PCI

standards mandate numerous security precautions to protect against network intrusions, including firewalls, log monitoring, access controls, and periodic vulnerability scans to ensure the merchant’s system has not been

(8)

PCI Compliance

• Verification of PCI compliance can be performed by a Qualified Security Assessor, who will perform an on-site inspection and determine whether an entity is compliant and advise on how to maintain compliance.

• An Approved Scan Vendor performs quarterly vulnerability scans of a merchant’s or service provider’s Internet-facing environments to ensure compliance with the PCI Standards’ external vulnerability scanning requirement.

• In certain circumstances, smaller merchants that are not required to undergo on-site assessments may complete a self-assessment questionnaire.

Regardless, all merchants must meet certain security reporting requirements.

(9)

9

Merchant Levels

• For example, Mastercard's

security program, with the PCI DSS as its foundation, details the data security

requirements and compliance

validation

requirements to protect stored and transmitted

MasterCard

payment account data.

(10)

Why Comply?

• Failure to comply with the PCI Standards can result in fines,

additional audit requirements or the suspension of the ability to

process credit card transactions with particular payment card

brands.

• Generally speaking, the payment card brands may fine an acquiring

bank for PCI violations, with such fines likely passed down to

non-complying service providers and merchants.

(11)

11

Why Comply?

• In 2009, for example, the average data breach cost $6.75

million, about $204 per compromised customer record.

• Any data breach could result in grave reputational damage

and cost exposure:

– Investigatory and response costs

– Data breach notification costs (requirements vary under state law) – Court awards; settlements with consumers and payment card brands;

legal and expert fees

– Regulatory costs and settlements with the FTC and state attorneys general

– Future compliance and remedial costs

– Business costs, including damage to brand and consumer goodwill

(12)

Why Comply?

Recent Example

• In Jan. 2009, Heartland Payment Systems, a large payment

processor, suffered a breach that compromised 130 million

cards. The breach was caused by malware that infected its

networks and collected in-transit, unencrypted payment card

data during the transaction authorization process.

– After insurance reimbursement, Heartland’s breach cost over $114.7 million, principally for settlements. Approximately $30.3 million of the total charges were for legal fees and costs incurred for

(13)

13

Is Compliance Enough?

• Following several newsworthy data breaches, it was reported that the affected companies had been certified PCI compliant.

• Some commentators have cautioned that while the PCI standards are

excellent security baselines, they do not necessarily mean a network is 100% secure.

• Security should be a multi-layered, ongoing concern.

(14)

Merchant Liability Legislation

• Merchant liability legislation seeks to codify certain portions of the PCI standards and allow financial institutions to recover certain costs stemming from a merchant’s data breach, particularly issuing banks, which have faced obstacles in recovering their costs in reissuing credit cards following a

breach.

• Minnesota: Minn. Stat. §325E.64 (Supp. 2007): The law essentially codifies fundamental PCI standards regarding the protection of credit card authorization data into law for merchants conducting business in Minnesota that handle

sensitive consumer data. Financial institutions have the right to recover breach-related costs from merchants who retain certain credit and debit card transaction data beyond certain time frames.

• Washington: H.B.1149 . This merchant liability law applies to covered entities that process at least 6 million yearly payment card transactions and contains safe harbors exempting covered entities if the account information was

References

Related documents

Payment  Card  Industry  Data  Security  Standard.    Credit  card  processing  security 

Powell, OH 43065 Web: www.armadausa.com Main: 614.431.9700 Last Updated: 1/01/2016 28 Navigating Preparedness & Protection Special Security Officer II – Associate

Payment card industry (PCI) data security standards (DSS) are a set of standards that the payment card industry and related organizations use to increase controls around

3.2 Do all systems adhere to the following requirements regarding storage of sensitive authentication data after authorization (even if encrypted)1. 3.2.1 Do not store the

Payment Card Industry Data Security

PCI DSS comprises 12 basic requirements that aim to ensure merchants utilise secure systems, such as restricting access to cardholder data, using a firewall and antivirus

The council develops, maintains and manages the PCI Security Standards, which include the Data Security Standard DSS, Payment Application Data Security Standard PA-DSS, and

In addition, the College must support department compliance with industry standards governing credit card transaction processing, specifically with Payment Card Industry