The next VDTA/SDTA Convention & Show will be in
New Orleans, LA
February 27 - 29, 2012
at the Ernest Morial Convention Center
|
The next VDTA/SDTA Convention & Show will be in |
Member Benefits Credit Card Processing Should you be concerned about PCI Compliance? The Payment Card Industry Data Security Standard (PCI DSS) applies to every organization that processes credit or debit card information, including merchants that store, process or transmit credit card/debit card data. PCI Compliance is not a request or suggestion. It is now a requirement from Visa. Any organization that accepts payment card transactions must be in compliance with the standards. Credit card companies and acquirer banks can levy stiff fines and remove the merchant’s ability to process credit card transactions until the merchant is PCI compliant. Basic rules on PCI DSS compliance:
In a recent PCI Webinar hosted by Imprivata software and Forrester Research, Khalid Kark said that questions concerning how to determine whether a service provider needs to be PCI DSS compliant are very common. “I get these questions all of the time,” he commented. “The rule of thumb is this: If you house credit card information, in whatever form, if you house the information in your server -- the server that you own or you added -- then you are basically responsible for complying with PCI DSS.” Even with a uniform standard for compliance, since the PCI DSS Standards Council instituted the new security standards, evidence suggests that there has not been a huge rush to comply. Many organizations have started to comply or audit in certain areas, but overall numbers seesaw, depending on each merchant’s level. From data collected by Visa, in 2006 only 18 percent of Level 1 merchants -- merchants with 6 million or more Visa transactions per year -- were compliant with PCI DSS, as opposed to the 35 percent who are currently PCI compliant in 2007. Another 51 percent have completed a report concerning where they are in terms of compliance, and 93 percent of the responding merchants certified that they are not storing PIN numbers, card verification numbers and other stored credit card data. Only 26 percent of Level 2 merchants -- merchants with 1 to 6 million Visa or MasterCard transactions per year -- are PCI compliant at this time, but Level 3 merchants -- merchants with Visa or MasterCard transactions totaling 20,000 to 1 million -- have a higher level of compliance at 51 percent. According to information gathered by Kark and Forrester Research, though organizations are spending a lot of money to become PCI compliant, it still is taking a long time for the organization to actually see the benefits of that compliance. “We’ve found that over years, typically there is one year there is a push to get spending, or to have spending in terms of a specific regulation,” Kark explained. “In 2005, for government, it was VISMA [government compliance program] and there was a lot of spending in terms of getting the controls in place, getting the technology in place, and so on, and in 2006 we saw a similar trend in the retail industry where the retail industry spent a lot of money in terms of getting compliant with PCI.” Continuing, Kark said that implementing a PCI DSS compliance program is still a lengthy process. “Once you start implementing technologies, once you start investing in security controls, then it takes a couple of years from implementation to realize the benefits of that spending,” he said. “And to be able to get to the fact of ‘Well, yes we are compliant completely, and yes we spent the money a couple of years ahead of time, but then we needed to put in processes and other things. Now we are realizing the benefits of that spending’.” From surveys conducted by Forrester Research, Kark believes that most companies will be compliant with PCI DSS within the next 6 to 12 months. “That may be a little late for some companies, but that is the data that we find, at the moment,” Kark said. But just because an organization is currently PCI DSS compliant right now, does not mean that it will continue to be compliant indefinitely. Compliance to the PCI DSS rules will continue indefinitely, as new technologies and new ways of hacking personal data continue also. “In general, compliance is 100 percent, but it’s a certain point in time, so if you are compliant today, it doesn’t necessarily mean you will be compliant tomorrow,” Kark said. “Being compliant means that at the time of the audit you [organization] were PCI compliant to 100 percent of the requirement in respect to whoever the auditor was … it’s the auditor that makes the judgment, but it may not really remain 100 percent throughout.” Suggested Links For VISA, Inc., PCI DSS compliance includes following their Cardholder Information Security Program (CISP), along with the incorporated PCI DSS standards. The CISP program includes compliance and validation requirements for the following entities:
This information is brought to you by Elavon, a credit card processor to the VDTA/SDTA from Control Scan (www.pcicomplianceguide.org ) & Visa. For more information on this or the VDTA/SDTA merchant program, call Kimberly Layton at Elavon, 1-866-638-8614 (direct). Or for a free merchant statement analysis, fax to Kimberly at 1-865-403-5535. Reprinted from Central Vac Professional, December 2008 |