Payment Card Industry Data Security Standard
Credit cards are widespread and their use for online payments is increasing dramatically. However, this increase has also brought about a growth in credit card fraud. In March 2007, TJX Companies Inc. disclosed that at least 45.6 million credit and debit card numbers were stolen by hackers who broke into its network. In a bid to tighten up security and prevent breaches similar to that experienced by TJX, all businesses handling credit/debit card data now need to comply with strict security standards drawn up by the world’s major credit card companies, including VISA and MasterCard. These requirements are known as the Payment Card Industry Data Security Standard (PCI DSS), and to date these govern all the payment channels including retail, mail orders, telephone orders and e-commerce.
The Payment Card Industry Data Security Standard and GFI Software
Companies are constantly at risk of losing sensitive cardholder data, which could result in fines, legal action and bad publicity. Achieving PCI DSS compliance should therefore be high on the agenda of companies that store, transmit or process credit card data. Furthermore,organizations that fail to comply face fines of up to $500,000 if the data is lost or stolen and risk not being allowed to handle cardholder data. All merchants that store, process or transmit cardholder data must be compliant. However, Level 4 merchants must refer to their merchant bank for specific validation requirements and deadlines. All deadline enforcement will come from one’s merchant bank.GFI Software offers two solutions to organizations that need to become PCI DSS compliant:
- GFI EventsManager - a complete event log management system and
- GFI LANguard - a complete network vulnerability management solution that includes vulnerability scanning, patch management and network auditing.
What is the Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS framework is divided into 12 security requirements which can be grouped into three main areas:
1. Collection and storage of all log data so that it is available for analysis
2. Reporting on all activity so as to be able to prove compliance on the spot
3. Monitoring and alerting whereby administrators can constantly monitor access and usage of data and be warned of problems immediately.
Read more about PCI compliance
As from December 31, 2007 all businesses handling cardholder data – irrespective of size – have to be compliant with strict security standards drawn up by the world’s major credit card companies. This includes:
- Banks and financial institutions
- Educational institutions
- Healthcare
- Hotels and restaurants
- Government
- Insurance companies
- Manufacturing
- Retail
- Post offices
- Technology companies
- And many more!
Reference Material
The following is a list of reference material related to PCI DSS – all material can be accessed for FREE – no registration required.
Additional information
Whitepapers
