1. Overview

Figure 1 The Payment Card Industry Data Security Standard (PCI DSS) requires minimum standards of security from any organization that handles payment cards or credit cards. The details of the security requirements vary with the size of the organization, but in each case three steps are required.

  1. Risk Assessment
  2. Safeguards Implementation based on the risk assessment
  3. Vulnerability Assessment to measure the effectiveness of the Safeguards Implementation

The "Circle Of Compliance" approach is shown graphically at the right.

The automated Compliance Reporter for PCI provides a "formal risk assessment" as required by the PCI DSS. Following the risk assessment, consultant products and partners can then assist the customer to implement the safeguards recommended by the Compliance Reporter

1.1 The PCI Standard

The Payment Card Industry Data Security Standard applies to every organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data. This new set of guidelines and operational requirements went into effect June 30th, 2007. Failure to comply with the Payment Card Industry security standards may result in heavy fines, restrictions or permanent expulsion from card acceptance programs.

Certification has been troublesome for card handlers. In July 2007 Visa stated that 40 percent of Level 1 retailers were compliant with the DSS. Despite making considerable progress in the last year, the industry continues to have significant problems.

1.2 PCI History

The Payment Card Industry Data Security Standard was created by major credit card companies to protect customer information, safeguard transactions, and provide risk assessment by identifying vulnerabilities or exploits that could be used to compromise systems and interfere with the integrity of the process.

On December 15th 2004, Visa, MasterCard, American Express, and Discover combined resources to create a single PCI Data Security Standard (DSS), which would allow them to meet the needs of their existing individual programs under a standardized process. PCI effectively combines requirements of the following programs:

  • Visa - CISP (Cardholder Information Security Program)
  • MasterCard - SDP (Site Data Protection)
  • American Express - DSS (Data Security)
  • Discover - DISC - (Data Security Guidelines)

The Compliance Reporter for PCI provides a systematic way to begin to address the PCI DSS requirements.

Home  |  Products  |  Privacy  |  Terms of Use  |  Partners  |  News & Events  |  About
Copyright © 2006-2022 ACR 2 Solutions. All rights reserved.