PCI DSS: the key facts
I spoke this week with Romain Chataigner, an IT security consultant at Orange, who leads the IT security practice at the IT&L@bs in Montreal, Canada about PCI DSS and what it means for enterprises.
What is PCI DSS?
It stands for the Payment Card Industry Data Security Standard and was created by the PCI industry body that represents the five major payment brands: American Express, MasterCard, Visa, JCB and Discover. Essentially PCI DSS is a security standard that focuses on the information security of credit card data: the cardholder's name, credit card number and the expiry date. The PCI created the standard in 2005 to have a unified security standard for the whole industry. Previously each payment brand had its own security standard, making it difficult for merchants to implement. Because the PCI DSS draws from these multiple security standards, it isn't really a new standard as such, rather a consolidation of best practice in information security for cardholder data.
Why is PCI DSS important for enterprises?
Quite simply, it is mandatory to be PCI DSS compliant if you handle credit card data and there are penalties if you don't comply with the standard. For example in the U.S., American Express directly imposes penalties on merchants: $50,000 if non-compliant, $150,000 after 30 days, $200,000 after 60 days and after 90 days, the merchant actually loses its right to handle credit card data. The deadlines for compliance are set by the payment brands and depend on the transactions annually processed by an organization. In the U.S. the level 1 firms, which handle more than 6 million transactions, already need to be compliant and other countries and company sizes are following suit.
Does it just apply to companies that take credit card data?
No it applies to any company that handles credit card data at any point. For example, network service provider and hosting companies will need to be compliant if credit card data travels over their network or is stored in their data center, respectively. Because of this, it affects many different companies, not just the merchant who takes the credit card.
What steps do I need to take to become compliant to the standard?
The first step is to carry out a scoping exercise to allow you to identify where cardholder data is held, transmitted or processed. The standard only applies to these areas, so it is important that you focus your attention on where it matters. The second step is to carry out an assessment of how close you are to being compliant, such as what security you already have in place and how much work is required to fill in the gaps. This will allow you to draw up an action plan and carry out the necessary work. The final step is the assessment: some companies need to fill in a self-assessment questionnaire (SAQ) and this can be reviewed by an external Qualified Security Assessor (QSA) that will be able to certify the company to PCI DSS (Visa Canada, for example, imposes SAQ to be reviewed by a QSA). Others need to be assessed onsite by a QSA.
Watch this space for more interviews with the IT&L@bs organization.