October 2007 / October 2007 - New Credit Card Standards

It is a staggering statistic; an estimated 10 million Americans per year fall victim to identity theft. Aside from the obvious ramifications that can impact consumers, the damage identify theft can cause to the small to midsize business arena can be fatal. Businesses can face severe financial penalties, legal action, or severe sanction from major credit card companies. In December of 2004, the major credit card providers decided to create one standard, PCI. In this month’s Tech Brief we will discuss the standard that was created to protect credit card subscribers from the alarming increase in identity theft, fraud, and other various security breaches.

What is Payment Card Industry Compliance?

Payment Card Industry Data Security Standard originally began as five different programs: Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and JCB Data Security Program. However, there were a significant amount of similarities to these policies, as the main objectives were the same: to add a more prominent method of protection for customers by ensuring merchants adhere to standards for storing, processing, and transmitting cardholder data.

What Companies Need to be Compliant?

PCI Compliance standards are clear in its expectations of merchants that accept credit card payment. According to PCI security standards, “any company that accepts, processes, or stores credit card information needs to comply with the standards set by the Payment Card Industry.” Credit card companies reserve the right to impose fines and or sanctions against companies found in violation of these terms; these companies can also terminate an organization’s ability to process credit cards entirely. If your organization falls within the category of a Level 1 or Level 2 Merchant (explained below), there is not much time left to do strategic planning for PCI Compliance. As of September 30th, 2007 for Level 1 merchants and December 31st, 2007 for Level 2 Merchants, companies can begin to be fined anywhere from $5,000 to $25,000 dollars per month for compliance regulations. Although this is not saying that if you fall into the Level 3 or 4 category fines will not come your way, it is obvious where the main focus is.

What Level of Compliance is our Business?

Though PCI Compliance provides an industry standard view on how to process credit card payments, the standard is made up of different levels depending upon the volume of credit card transactions an organization does. Merchants are divided into four tiers that have a different set of compliance requirements associated with each level.

Level 1 Criteria

• Merchants with over 6 million transactions a year
• Merchants whose data has been compromised

Level 1 Requirements

• Annual Onsite Security Audit and quarterly network security scan

Level 2 Criteria

• Merchants with 150,000 to 6 million transactions a year

Level 2 Requirements

• Annual Self Assessment Questionnaire
• Quarterly Scan by an Approved PCI Scanning Vendor

Level 3 Criteria

• Merchants with 20,000 to 150,000 transactions a year

Level 3 Requirements

• Quarterly Scan by an Approved PCI Scanning Vendor
• Annual Self Assessment Questionnaire

Level 4 Criteria

• Merchants with less than 20,000 transactions

Level 4 Requirements

• No need to report compliance but must maintain compliance.
• Approved Scanning Vendors

The PCI Security Standards Council has assumed responsibility for the Approved Scanning Vendor (ASV) program. For a list of approved scanning vendors, please click Approved Scanning Vendor Directory. ASV’s have the ability to assemble a thorough report that outlines vulnerability, produce a diagnosis of what is connected to that vulnerability, make recommendations on how to remedy violations, and assign a rating from 1 to 5 based on the danger of that vulnerability. The rating criterion for each level is outlined below.

Level 5 Vulnerabilities

Level 5-Urgent-With this level of vulnerability, hackers can compromise the entire host. This vulnerability type allows hackers to have complete access to full file-system read and write capabilities, remote execution of commands as a root or administrator user, as well as the presence of backdoors and Trojans.

Level 4 Vulnerabilities

Level 4-Critical-Gives hackers partial access to file-systems and also provides them with remote user capabilities. These vulnerabilities expose highly sensitive information.

Level 3 Vulnerabilities

Level 3-High-Gives hackers access to information stored on the host, including security settings. It sets up misuse of the host by intruders. Examples include access to specific files, denial of service attacks, directory browsing, mail relaying.


Level 2 Vulnerabilities

Level 2-Medium-Gives hackers a chance to research attacks against the host, and access to some sensitive information from the host, such as exact versions of services.

Level 1 Vulnerabilities

Level 1--vulnerabilities expose information, such as open ports. Information can be obtained by hackers on configuration.

Reporting on Compliance

Despite having standards in place, PCI compliance is not a complete uniform solution when it comes to reporting. Different card companies still have specific ways that they want their subscribers to report that information. As it is most common for a company to receive both MasterCard and Visa as methods of payment, reports must be filed in both formats. It is best to consult with your ASV as how to report upon this data. It is also important to point out that these scans must be completed once a quarter, and any omission of this data can levy severe penalties and fines.
Want More Information?

PCI Compliance is forcing significant change in the business world. Its regulations require companies to have up to date hardware, current software licensing and a variety of other mechanisms to ensure that sensitive customer data stays secure. Thrive Networks Strategic Consulting Division is well versed on the necessary changes that PCI compliance brings to the small to mid size business arena. Whether it is building a corporate strategy to get your business in compliance or a necessary hardware rollout to improve the current state of the infrastructure, feel free to contact Thrive Networks to learn the best way that we can assist your business in this time of change. Contact Us