When customers pay with a debit or credit card, whether at the checkout, over the phone or online, they expect their account information to be safe. It's the merchant's responsibility to deliver on that expectation. To ensure this, card companies--Visa, MasterCard and others--have historically provided security standards that merchants had to meet or risk facing fines. But with several competing card companies, each with its own security standard, compliance was a complicated business.
Responding to that concern, Visa and MasterCard joined forces to launch the Payment Card Industry (PCI) Data Security Standard, which went into effect December 2004 and offers a single approach to safeguarding card data for all card brands. American Express, Discover, Diners Club and JCB Cards have endorsed the program. "The end result is a single program that a merchant can validate, and if they pass, Visa, MasterCard, AmEx, Discover, Diners and JCB will all accept it," explains John Shaughnessy, senior VP of operations & risk, Visa USA.
The new standard is modeled after Visa's Cardholder Information Security Program (CISP) and MasterCard's Site Data Protection (SPD). According to John Verdeschi, VP of e-business and emerging technologies for MasterCard, the shared standard was designed to ease the compliance burden for merchants. "We wanted to make this easier for people to adopt. The added benefit is that the shared standard shows a united front between the card brands and demonstrates that we believe this is a very important issue."
The new standard consists of twelve basic requirements (listed in the chart below) supported by more detailed sub-requirements. It applies to all members, merchants, and service providers, including third-party processors, that store, process or transmit cardholder data.
Additionally, these security requirements apply to all system components, including any network component (such as firewalls, switches, routers and network appliances), server (such Web, database, authentification or mail server) or application (whether purchased or custom, including internal and external Web applications) that are included in, or connected to the cardholder data environment.
With the new standards in place, a merchant or third party need only perform a single validation each year. The Report on Compliance, which proves that the merchant meets PCI Data Security Standards, is submitted to the acquiring member with whom the card company has a contractual agreementÃ.‚¬" such as an acquiring bankÃ.‚¬" and will be recognized by all card types, which Shaughnessy calls "onestop shopping."
Fines for non-compliance vary by company. With VISA, violations can range from $50,000 to $100,000 per incident. "In the case of an egregious violation, fines can go up to $500,000 per incident," says Shaughnessy. Such a violation includes storage of full content of the magnetic strip, known as full-track data. "There are security features that can't get out. If they do, it's like the keys to the bank."
The fine is levied against the acquirer, who can pass it along to the merchant if the contact allows them to do so. The card company can also impose restrictions upon the merchant, or permanently prohibit them from participating in programs. MasterCard's Verdeschi adds that fines are purely used to provide incentive for adoption where adoption isn't already taking hold.