Are You Foggy About PCI Compliance?

In the last two years alone, more than 88 million consumers have been affected in breaches of sensitive financial information, most commonly their credit card numbers. These breaches result in millions of dollars each year in fraud and theft, and create a headache for the credit card companies absorbing most of these losses. To thwart the problem, five major credit card companies-American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International-jointly formed the Payment Card Industry Standards Council, charged with developing and implementing rigorous security standards for merchants and credit card processors.

As a processor of credit card payments, online merchants are obligated to participate and implement standards mandated by the council. Yet two years after this council was formed, many merchants remain ignorant of their requirements and are not in compliance with the standards.

Many merchants fail PCI audits after failing basic security tests. For example, poor password management policies, insecure servers and services, default settings (such as unencrypted wireless connections!) or badly configured payment systems often trigger a failing grade. In more serious cases, credit card numbers, CVV2 and PINs are managed and stored in an environment lacking adequate security and access protection.

Coming into compliance with PCI standards can usually be achieved without major investments or changes to business practices. Merchants can choose from several approaches, but in all cases, they should designate an individual who understands the purchasing process of the business and the systems associated with it. This individual should develop a risk assessment of the current security protocols and systems. Such an assessment will allow the business to better understand their technology architecture so they can implement guidelines and control standards to ensure better management and security policies.

To start, merchants should adopt these five primacy PCI objectives merchants should meet before reaching compliance:

1. Maintain a secure network. All servers processing sensitive information should be updated with the most current software patches and upgrades. This also includes firewall software, Web hosting control panel software, and billing or account management applications.

2. Cardholder data must be securely maintained. This data needs to be either not connected to the network, or access should be limited to only one individual. When credit card information is no longer needed, it should be immediately destroyed. It seems every few months there is a report of a major corporation or government agency losing laptop containing tens of thousands of private records; something like this can never be allowed to happen.

3. Web site vulnerabilities or potential exploits should be monitored and patched as soon as they are discovered.

4. Unique identifiers should be assigned to each person that has access to credit card data. This will ensure a more secure environment and allow administrators to more closely track internal breaches.

5. Merchants should only use reputable gateway services, such as Authhorize.net.

Beyond these basic requirements, businesses should adopt the many sub-requirements as outlined in the Payment Card Industry Data Security Standard (PCI DSS) additional available at http://www.pcisecuritystandards.org.

Ultimately, moving in the direction of PCI compliance reduces more than just liability for businesses. It creates a more secure environment that allows businesses to operate more efficiently and without fear for data loss or breach, and provides customers with greater assurance and confidence in doing business with a merchant. In the long term, any added costs associated with attaining compliance are negated by the added benefits of increased security.

Errett CordAuthor Info: Errett Cord is a former excutive of a web hosting firm who has worked with many small- to medium-sized companies developing effective internet strategies. As part of his commitment to helping others improve their businesses, Errett has become deeply involved with Magento and how to effectively set up and manage the platform. Contact Errett Cord (ecord@ecord.us)