Various credit card companies have had their own security requirements for years that their merchant customers had to abide by to be able to continue to accept and process credit card payments. For example, MasterCard has its Site Data Protection (SDP) program, American Express has its Data Security Operating Policy (DSOP), Discover has its Information Security and Compliance (DISC), and Visa has its Account Information Security (AIS) and Cardholder Information Security Program (CISP). Although the specific requirements were slightly or vastly different, they all had the same goal which was to reduce fraud so that the credit card companies did not continue to lose so much money. One way to reduce fraud is to make sure that the merchants are providing the necessary level of security for credit card information. So this breaks down to the credit card company stating, "Protect our stuff or you can't use our stuff anymore."

Over the years as identity theft and digital credit card abuses continued, MasterCard and Visa led the way in collaborating all of these various requirements so that things would not be as confusing and more easily enforced. This grand offering from this collaboration effort was named Payment Card Industry Data Security Standard (PCI DSS) and consultants and auditors have been making more money than ever before.

PCI DSS is accepted by the payment industry as the global standard for cardholder information security. Its purpose is to identify security weaknesses, reduce credit card fraud, and protect cardholder information from exposure and compromise by mandating how the credit card information is collected, transmitted and stored.

The PCI DSS called for compliance by June 30, 2005, however adoption has been slow because the standard is driven by private industry. This means that enforcement is not enforced by a government agency or the courts, but instead it enforcement is an incentive by the credit card industry through the use of financial sanctions against merchants and service providers that are not in compliance. The requirements of PCI DSS are reasonable given the sensitive nature of the data; however variations in broadness of interpretation of some of the requirements can make implementation as significant a project as the most restrictive federal or state regulations. Additionally, there are different levels of compliance validation, details of which are presented below. The benefit of demonstrable compliance is that merchants and service providers can have a single compliance program that satisfies the requirements of all of the payment card companies. A popular opinion in the information security community is that the majority of the requirements specified in the PCI DSS are prudent safeguards applicable to all industries.

PCI DSS Requirements

There are 12 requirements of PCI DSS, sometimes colloquially referred to as the Digital Dozen, which are grouped into six categories. The requirements are subject to interpretation and it is safe to say that they encompass virtually every facet of data and network security: data creation, access control, transmission, encryption, storage format, disposal, usage, monitoring of usage and notification of unauthorized usage or breach, stipulations covering the use of firewalls, anti-virus software, security patch management, periodic network scans, logging, and more. At the highest level is requirement 12 that is arguably the most all-inclusive; it states simply, "Maintain a policy that addresses information security."

The following table summarizing the PCI DSS requirements is reproduced from the Visa website http://usa.visa.com

Table: Quick breakdown of PCI DSS requirements

There is a companion document available entitled "PCI Data Security Standard" that provides more granular details on each of the requirements. You can find this at
http://usa.visa.com/download/business/accepting_visa/ops_risk_management/
cisp_PCI_Data_Security_Standard.pdf

The snippet below shows an example of the level of detail available under Requirement 4 within the PCI Data Security Standard document. This specificity is in stark contrast to legislated regulations that are typically stated in language that is even higher level than the verbiage of the PCI DSS Digital Dozen. There can be differences in one entity's compliance project to that of another, based on interpretation of the legislation. PCI DSS compliance, discussed below, involves checklists and forms that provide consistency. For example:

Requirement 4: Encrypt transmission of cardholder and sensitive information across public networks.
{Requirement 4.1 text omitted for brevity.}
4.1.1 For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:

     .  Use with a minimum 104-bit encryption key and 24 bit-initialization value
     .  Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology VPN, or          SSL/TLS
     .  Rotate shared WEP keys quarterly (or automatically if the technology permits)
     .  Rotate shared WEP keys whenever there are changes in personnel with access to keys
     .  Restrict access based on media access code (MAC) address

As you can see, the level of detail in that section is far greater than what you will get in regulations like SOX, GLBA and HIPAA. This level of detail makes auditing simpler.

PCI DSS applies to all entities that store, process, or transmit credit card transactions and/or cardholder data. This universe is split into two groups: merchants, who initiate and process the end-user transactions (merchant) and service providers. Each group is divided into levels, which have different requirements, which is indicated mainly by the amount of credit card transactions they process annually.

Service providers facilitate a variety of business functions for merchants, including offering and selling online content, payment processing services, and application hosting and processing. The validation requirements for each group are divided into levels based on transaction volumes.

Note: The PCI DSS provides tools used to show compliance: downloadable templates and checklists          are available for the Data Security Assessment, the Self Assessment, and the Site Audit,          discussed below. The Self Assessment is a Yes/No checklist.

Merchant Levels and Compliance Validation Requirements

The Table 4-6 below is included here only as a guide. The data is derived from the http://usa.visa.com/merchants/risk_management/cisp_merchants.html website which contains additional detail as well as templates for Audit Procedures, Security Scanning Procedures, the Self-Assessment Questionnaire, and more. The table below (Table 4-6) shows the level criteria and validation requirements for Merchants. Though some terms in this table may be Visa-specific, the levels apply to PCI DSS itself. Most of the credit card companies use similar transaction quantities numbers to define each level.

Table: Merchant levels and requirements

As you can see merchants that process a lot of credit card transactions have more strict requirements because if they do not implement proper security, they can cause damage that is more expansive and detrimental than the smaller shops. So Amazon.com will need to make sure to run a very tight ship, because of all the credit card transactions they process. But a small donut shop that would qualify as a level 4 will not be as scrutinized because they won't have as much sensitive information that can be stolen. It should also be noted that the incentive for the credit card companies when dealing with fraud are related to the financial exposure that each merchant process. A larger merchant could mean higher claims from customers that had fraudulent transactions than small-sized merchants.

Service Provider Levels and Compliance Validation Requirements

As mentioned before, the service provider must also pony-up and meet the same type of security requirements. The Table 4-7 illustrates the levels, descriptions, and annual and quarterly requirements. (Again this is from the Visa site [http://usa.visa.com/merchants/risk_management/cisp_service_providers.html], but you will find the same type of information on every credit card company site.)

Note: The dedicated site for PCI DSS information is https://www.pcisecuritystandards.org.

Table: Service provider levels and requirements

So to be officially certified as being compliant with PCI, a qualified auditor must carry out an evaluation to ensure that all of the rules are being properly met for the corresponding merchant level. The quarterly and annual audits depend upon the classification (i.e. 1-4 for merchants). The classifications are based on the volume of credit card transactions that are carried out annually.

The table summarizes some security services needed to be provided for PCI DSS compliancy. There is much more involved and this is only a quick snapshot.

Table: Some requirements of PCI DSS

Although these new standards can be exasperating to the organizations that have to also deal with other regulations, they will only help in the long run. This standard really just outlines what companies should be doing anyway. It helps the company by providing guidelines on how to implement better security, it helps the credit card companies by reducing fraud and saving them money, and it helps the economy because there is more confidence in continuing to purchase items with the plastic that we are all so found of.

Although this stuff may seem dry and not affect our daily lives, it does. As fraud and abuse is allowed to continue, it directly affects each one of our interest rates, prices for different services, and insurance. So while individuals may blow off financial fraud because they know that the financial institutions will be the ones who have to pick up the bill - everything roles downhill. Financial institutions will not shoulder this burden alone, we all will - we just don't usually understand the direct link between fraud and why we have to pay more in services for a checking account or why our interest rates increase.

The CISSP exam covers where regulations fit into the overall security program and enterprise security architecture. We offer different formats of material to allow you to study for the CISSP exam in a way that fits you best. Please review the following pages: