Credit and debit payment cards are convenient for consumers and businesses. They are used to pay for everything including concert tickets, cable and phone, newspaper and magazine subscriptions and many forms of advertising. If you are a merchant that accepts credit cards as a form of payment, then your company must comply with the Payment Card Standards (PCI) requirements.
Understanding the Changes
Originally issued in 2007 the PCI standards outlined 12 requirements and 6 principles of payment card data security. The newest release, effective October 1, 2008, (Version 1.2) does not change the 12 requirements, rather the Standards Council eliminated confusion by consolidating or eliminating requirements. The new release adds clarity to those requirements which proved difficult to understand or define (such as “strong cryptography” and “application layer firewall.”).
RubinBrown Point of View
Experience has shown compliance with the PCI standards revolve around your security policies and procedures. An assessment of your current policies, procedures and processes compared to the requirements of the PCI-DSS is an advisable next step. Compliance continues to be challenging, but in an era where a stolen card number leads to significant financial losses and damages the company’s reputation, complying is the right thing to do. Organizations that fail to comply with the standards risk not being allowed to handle cardholder data and could be assessed fines of up to $500,000 for each instance if the credit card data is lost or stolen.
Table 1.0 – Summary of PCI requirements
Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Don’t use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software
- Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security.
Under U.S. Treasury Department guidelines, we hereby inform you that any tax advice contained in this communication is not intended or written to be used, and cannot be used by you for the purpose of avoiding penalties that may be imposed on you by the Internal Revenue Service, or for the purpose of promoting, marketing or recommending to another party any transaction or matter addressed within this tax advice. Further, RubinBrown LLP imposes no limitation on any recipient of this tax advice on the disclosure of the tax treatment or tax strategies or tax structuring described herein.