Pci Dss Compliance Basics For Credit Card Data Security

By Author: Bryan Johnson
Total Articles: 24
Comment this article

PCI DSS Compliance is an industry-mandated security standard that applies to all businesses that handle, process or store credit cards.

There are 12 core requirements and roughly 250 controls, but as an oversimplification it boils down to three things: 1) all merchants, regardless if credit card data is stored, must achieve and maintain compliance at all times (all deadlines have passed); 2) merchants cannot store certain credit card information including CVV2, CVC2 and CID codes (three or four-digit numbers), track data from the magnetic strip or PIN data; 3) if permitted credit card information such as name, credit card number and expiration date is stored, certain security standards are required. A number of recent high profile breaches have been raising awareness and risks associated with PCI Compliance.

The motivation to become compliant The major credit card companies have provided both carrots and sticks in order to compel merchants to become and maintain compliance. The incentives include 'safe harbor' from certain penalties and fines if a merchant is compliant at the time of breach.

Without compliance, ...
... if a merchant is breached and has credit card information stolen, depending on the size of the breach, PCI related fines can be as high as $500,000 per incident. In severe cases, merchants can even be given the 'Death Penalty,' preventing them from accepting credit cards. In all, depending on the number of cards stolen, merchants are estimated to spend between $90 and $302 per record (see graph below).

The Payment Card Industry Data Security Standard (PCI DSS)

What is PCI DSS?
It's a comprehensive security standard that establishes common processes and precautions for handling, processing, storing and transmitting credit card data.

Who created it? While Visa and MasterCard originally developed it, as of September of 2006 American Express, Discover, JCB, MasterCard and Visa jointly formed the PCI Security Standards Council.

Why was it created? It was created in response to a spike in data security breaches over the last few years. A large number of both small and large businesses have been breached including TJX, Bank of America, Citigroup, BJ's Wholesale Club, Hotels.com, LexisNexis, Polo Ralph Lauren and Wachovia.

Who's at risk? Any business that processes, transmits, or stores credit card information. While the publicity of security breaches has recently been focused on larger companies, Visa reports that the majority of breaches are occurring at small businesses.

Bryan Johnson is the author of this article on PCI Compliance. Find more information relating to online payment systems, and card payment processing here. .