FEATURED ARTICLE

Payment Card Industry Compliance
and Your Immediate Responsibility

The Payment Card Industry (PCI) consists of the five major credit card companies (American Express, Discover, JCB, MasterCard & Visa). The purpose of the PCI Data Security Standard (PCI DSS) is to help prevent credit card fraud, hacking and various other security issues for businesses and organizations that process card payments. The PCI DSS requires merchants to complete a self assessment questionnaire, successfully complete an annual or quarterly review of their processing environment and pass a system/network vulnerability scan.

The PCI Self Assessment Questionnaire is a list of questions to assess a merchant’s compliance. In February 2008, the PCI Security Standard council released four versions of the questionnaire to account for the different merchant environments.

A Network Vulnerability Scan is an automated, non intrusive scan that assesses a merchant’s network and Web Applications from the Internet. The purpose of the scan is to identify any vulnerabilities or gaps that may allow an unauthorized or malicious user to gain access to the merchant’s network and potentially compromise cardholder data.

Full compliance is mandatory. Elavon Merchant Services is automatically enrolling merchants who have not supplied compliance documentation or completed the validation process in Trustwave’s Trust Keeper Program for an annual fee of $135 beginning in December 2008. All merchants and Service Providers are required to comply with the PCI DSS.

PCI DSS compliance is an ongoing process. On March 1st, 2009, merchants who fail to meet PCI compliance standards will be assessed a monthly fee of $20. The fee will continue until the merchant successfully completes and passes the validation requirements. Merchants that are not familiar with these standards and the requirements may visit the PCI Security Standards website.

PRODUCT SPOTLIGHT

TrustKeeper® by Trustwave

Trustwave is the leader in providing on-demand security and payment card industry compliance. Trustwave is an Approved Scanning Vendor (ASV) and a Qualified Security Assessor (QSA). TrustKeeper® provides data security and compliance validation for PCI DSS compliance and other regulatory requirements. TrustKeeper® will help merchants understand the importance of PCI DSS requirements, help with analysis of their status and assist with meeting compliance.

TECH TIP

Identify Methods of Intrusion

There are many ways that a perpetrator can gain unauthorized access to a Merchants Point of Sale (POS) system and storage mediums.

• SQL Injection (Structured Query Language): takes advantage of improper coding of web applications that allows hackers to gain access to information held on the database.
• Packet Sniffer: a device or program that monitors data traveling between two computers on a network allowing malicious intruders to capture and transmit credit card data.
• Trusted Insider: an employee, vendor or authorized visitor that takes advantage of authorized access to perform malicious acts or theft.
• Wireless Intercept: occurs when the wireless network has not been properly secured allowing unauthorized use or penetration of a wireless network.
• Key Logger: a device or small program that captures each key stroke a user types on a specific keyboard. May be installed by a trusted insider.