The Payment Card Industry Data Security Standard – the result
of a collaboration between Visa and MasterCard – has the support of
other card companies, including American Express, Discover and
Diners Club, and represents a concerted effort to tackle identity
theft and on-line fraud.
It sets out procedures for handling cardholder information in
a secure manner, and requires that merchants carry out a quarterly
compliance check. All merchants are covered by the standard,
although only those carrying out more than 20,000 transactions per
year will be obliged to have their compliance verified.
In brief, the merchant is obliged:
- to install and maintain a firewall to protect data;
- not to use seller-supplied defaults for system passwords and
other security parameters;
- to protect stored data;
- to encrypt the transmission of cardholder data and sensitive
information;
- to use and update anti-virus software;
- to develop and maintain secure systems and
applications;
- to restrict access to data on a need-to-know basis;
- to give a unique ID to each person with computer
access;
- to restrict physical access to the data;
- to track and monitor all access to the network and
data;
- to regularly test security systems and processes;
and
- to maintain an information security policy.
The requirements are backed by tough sanctions – including
heavy fines and the threat of the withdrawal of credit card
processing facilities.
By using a single standard and enforcing it strongly the
credit card industry hopes to stem the tide of identity theft and
on-line fraud.
Recent highly-publicised consumer privacy breaches include the
loss of backup tapes containing the credit card information of 1.2
million federal workers by Bank of America, the loss of around
310,000 customers' personal information to identity thieves at a
subsidiary of data broker LexisNexis, and the reported loss of
transaction data belonging to around 180,000 customers of fashion
house Polo Ralph Lauren.
