This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here.  
  • Delicious




Credit Card Companies Impose Strict Security Standards On Merchants

by Glen Shapiro, LawAndTax-News.com, New York

03 May 2005

New security standards from credit card companies come into force at the end of next month; all merchants must abide by them, and larger ones will be audited.

The Payment Card Industry Data Security Standard, which is accepted by Visa, Mastercard, Amex and Diners Club, represents a concerted effort to tackle identity theft and on-line fraud. It sets out procedures for handling cardholder information in a secure manner, and requires that merchants carry out a quarterly compliance check. All merchants are covered by the standard, although only those carrying out more than 20,000 transactions per year will be obliged to have their compliance verified.

Sanctions for errant merchants include heavy fines and the threat of the withdrawal of credit card processing facilities. By using a single standard and enforcing it strongly the credit card industry hopes to stem the tide of identity theft and on-line fraud. Recent security breaches include the loss of backup tapes containing the credit card information of 1.2 million federal workers by Bank of America, the loss of around 310,000 sets of customer information at a subsidiary of LexisNexis, and the loss of transaction data belonging to around 180,000 customers of Polo Ralph Lauren.

The requirements of the standard include:

  • Install and maintain a firewall configuration to protect data;
  • Do not use vendor-supplied defaults for system passwords and other security parameters;
  • Protect stored data;
  • Encrypt transmission of cardholder and sensitive information across public networks;
  • Use and regularly update anti-virus software or programs;
  • Develop and maintain secure systems and applications;
  • Restrict access to data by business need-to-know;
  • Assign a unique ID to each person with computer access;
  • Restrict physical access to cardholder data;
  • Track and monitor all access to network resources and cardholder data;
  • Regularly test security systems and processes;
  • Maintain a policy that addresses information security for employees and contractors.

These Payment Card Industry (PCI) Data Security Requirements apply to all members, merchants, and service providers that store, process or transmit cardholder data. Additionally, these security requirements apply to all “system components” which is defined as any network component, server, or application included in, or connected to, the cardholder data environment. Network components, include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, Web, database, authentication, Domain Name Service (DNS), mail, proxy, and Network Time Protocol (NTP). Applications include all purchased and custom applications, including internal and external (Web) applications.

.

 

 






Write a comment