Standard PCI DSS information security of payment cards

Problem introduction

The problem of protecting confidential information from unauthorized access is one of the most topical. At the same time the efforts of black hackers are increasingly directed to the theft of confidential data cardholders. In recent years all over the world, acts of so-called karderskih crime, accompanied by the data being compromised card holders and then use the information received to commit fraud.

On the positive side of this situation lies in the fact that the information provided by the security standards payment card industry (PCI Security Standards Council) 1 October 2008 a new version of the standard PCI DSS - version 1.2 - does not provide for the imposition of any significant new requirements in addition to the existing twelve, acting initially. It should be noted that the issuance of a revised version of the PCI DSS implemented in full accordance with the originally agreed process life cycle of the Standard, which provides for its review and update periodically once in two years. As the PCI Security Standards Council, the main changes in version 1.2 are the clarifications and comments to the existing requirements.

Data Security Standard Payment Card Industry (PCI DSS) was developed by international payment systems themes of American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. in 2004 as a single set of requirements for data security, has combined the requirements of a number of programs for the safety of these payment systems. The purpose of this standard is to protect the data of cardholders and preventing card fraud by improving security in the industry as a whole. Action PCI DSS applies to all trade and service enterprises, processing centers, credit and financial organizations and service providers who work with international payment systems, ie any company or entity that transmits, processes and stores sensitive data cardholders.

September 7, 2006 Payment Systems American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa International issued a joint declaration establishing the independent Council on Security Standards (PCI Security Standards Council), the main activity of which was coordinating the devel ¬ formulation and development of PCI DSS.

According to experts, this event became a milestone in the activities of payment systems for the protection of data cardholders, exclusively emphasizing the importance of this problem on a global scale. Creating an independent Board to work on a security standard PCI, its founders are developing the system, the most accessible and ef ¬ serve as effective for all participants in the payment process, including trade and service enterprises ¬ WIDE, processing cents ¬ ture and financial organizations.

The Council acts as an advisory group and provides the overall development of safety standards PCI. Each member of this structure has the opportunity to suggest changes, contribute to future projects, participate in developing amendments to the standards of safety, as well as to influence the activities of the organization as a whole. In addition, participating organizations have the right to elect and be elected in consultation ¬ cess in body of the security standards PCI.

Among the challenges facing the Council - to develop and strengthen a global standard security technology to protect data about the card holder, reducing costs and timing of the introduction of data security standard by establishing common technical standards and verification procedures for all payment systems, as well as creating a database of qualified developers of security solutions.

The new structure started with the adoption of information security standards PCI Data Security Stan ¬ dard v. 1.1, aimed at determining the level of security information on the card holder, as well as the formation of recommendations for retail and service businesses, manufacturers and ¬ tributors of software solutions and terminal equipment on the measures needed to improve IP protection ¬ polzuemogo software.

Developed standard is a list of requirements for safety management systems, network infrastructure, policies, procedures, software development and other measures of data protection of holders of bank cards. The requirements defined in the standard, designed to perform primarily financial institutions, trading companies and service providers that store, transmit or process the data of cardholders in the course of everyday activities.

Thus each payment system is still responsible for the introduction of its own standardized programs in this area.

The main objects of the standard PCI DSS are:

• network infrastructure;
• means of physical security;
• IT infrastructure;
• application software;
• internal policies and procedures.

Despite the fact that the standard makes all the structures, working with international payment systems, very high demands, costs for which you have to bear most market participants, the benefits of industry participants to ensure compliance with PCI DSS are undeniable.

The increased risk of compromised data card holders and cases of hacking systems, working with maps, requires more stringent controls to protect confidential data of cardholders. If we talk only about the most challenging crimes in the card industry in recent years, can result in a very long list "of successful initiatives" cyber criminals. Thus, in 2005, the U.S. processing company Card System Solutions announced criminals compromise confidential data for more than 40 million cardholders. In January 2007, hackers gained access to the data of approximately 100 million cards company TJX, operator of discount networks, TJ Maxx in the U.S. and TK Maxx in Europe. Even relatively recently, in the past, in 2008, more than 12 million customers affected by the breach of security policy in the Bank of New York Mellon, which resulted in compromised confidential data of cardholders, including details of the documents of social security, name , address and date of birth . Today, having learned from bitter experience, the bank carefully reviews its security policies and procedures, as well as taking the necessary steps to ensure that the introduction of industry-leading security measures in all areas of their business.

March 23, 2009 giant card payment system - the company Visa - struck a blow to public companies Heartland (Heartland), a leading system of debit and credit payments the United States, removing it from its list of service providers of electronic payments, which comply with safety standard Payment Card Industry - PCI DSS. Organizations providing services to electronic payments, the relevant rules of this standard are required to protect confidential information, holders of bank cards, as well as to combat theft of personal data and fraud.

The company Visa has questioned the line system of protection payments Heartland PCI DSS compliance after the system was hacked in late 2008, stating that no commercial organization to meet the standards of payment systems, has still not been compromised.

January 20, 2009 Visa and MasterCard told the public about the discovery of suspicious activity around the transactions on bank cards. Heartland Company explained that in late 2008 in their system was discovered by a virus. Compromised data included information on the card number, expiry date maps and other data that are read from the magnetic strip bank cards. In some cases, the names of holders of debit and credit cards Heartland Network, which in the US, there are 250000.
Heartland did not disclose the extent of leakage, but the management of the company described it as one of the largest in history. Across the country, banks have responded quickly and began to send cards to replace, and also advised customers to closely monitor their accounts.

Trust cardholders to various companies and organizations with access to their personal information, which, in fact, rests the success on the international payment systems around the world were noticeably shaken by these incidents of breach of security, high-profile in all regions. Thus, in order to increase the level of confidence of end users, today it is vital to ensure that the standard PCI DSS. Minimizing the possibility of violations of security policy system and the leakage of confidential data will restore the confidence of cardholders and at the same time will help to avoid huge losses that may result from such violations, not to mention the often irreparable damage to the reputation of any market participant.

What are the advantages of the successful certification of compliance with the requirements of the standard PCI DSS?

For business in general is: prevent sanctions by the payment systems;
- obtain an international certificate in information security, which affects the improvement of company image and brand for quotes on world markets;
prevention of incidents of information security and as a result of reducing the potential losses to business; improve customer trust and loyalty to the Company;
improving the image of the Company on both the local and international level;
increased "transparency" the company information system for management and as a result of increased manageability of information security of the Company;
improving the effectiveness of the Company's employees; culture change in the direction of understanding the issues of information security, particularly in dealing with personal information cardholders; raising the overall level of data protection, which the company operates; reducing threats to the company's business processes; receipt by a new competitive advantage, not only to demonstrate their competence in information security, but also the fact that companies are concerned about data security of its customers.

For units of information technology is: receive an international certificate in information security as a confirmation of competence and level of information security company; improving reliability and manageability of information security;
obtaining additional tools to manage, control and monitoring information systems company; reducing possible security risks associated with personal information cardholders; increased transparency of all processes of information security systems company; obtaining a comprehensive plan (portfolio) vulnerabilities and reduce information risk; vulnerabilities of information systems company; awareness of company personnel in information security, which is a prerequisite for the introduction of effective information security policy in the company; improve security of information during its processing and distribution; regulation of the Company's employees access to information on cardholders; effective management of staff as the IT departments, and improving communications with the service information security.

For customers / users of IT services are: operations with personal information cardholders become more secure; significantly improves the protection of personal information storage cardholders; dramatically reduces the risk of discrediting personal information cardholders; increases overall efficiency and reliability of the information security system company.

Thus, the passage of the complex steps to meet requirements of PCI DSS will allow the customer to receive the following benefits:

• Increase the confidence of customers, partners, contractors, business owners;
• Obtaining a certificate as a guarantee of international recognition;
• Transparency and clarity of business to customers, partners and the law;
• Reducing the risk of compromising sensitive information

So what we have achieved so far? How active and successful banks are now certified as compliant with PCI DSS?

Let's start with the fact that in different regions of the current situation can vary greatly. For example, in the United States, this process was accelerated by the threat of heavy fines and legal sanctions that apply in the case of the data being compromised card holders.

In Europe, where the relevant aspects of the legislation is not so developed, progress is slower. It is currently in the European Union, members of international payment systems ¬ GOVERNMENTAL perform audits of their systems to bring them into compliance with PCI DSS on a voluntary basis. However, in the future, most likely, they will have to act not only on its own initiative, but also under the influence of a coercive nature.

In turn, in the CIS region considerably ¬ quantity required of banks, including Russia's credit institutions, has already concluded an agreement with the Qualified Security Assessors (QSA), and now they are gradually moving towards the standard.
According to the requirements of international payment systems, all companies and organizations that transmit, process or store confidential data of cardholders, must undergo an audit for compliance with PCI DSS. It is obvious that such an audit can be performed only company of certified payment systems for such activities.
A striking example here is Sysnet, working in the information security market since 1989 and having the status of PCI Qualified Security Assessor since 2005, ie from the very beginning of his actions. Currently Sysnet is the lead partner for banks in the Ukrainian market and rapidly expanded its activities to other countries in the CIS region.

So, what attracts the company Sys ¬ net in the CIS region? We are proud to provide our clients with highly customized solutions tailored to the specific challenges faced by our customers. We provide customers with professional unbiased advice and service support, which enables them to achieve compliance with the standard PCI DSS. What distinguishes the company Sysnet from most of its competitors? First is the existence of our company's certificate of accreditation services for the international standard ISO 27001. We are an "independent provider", not related to any specific vendors or other interested entities. Thus, if the company identified the problem area in the security policy of a particular customer, then we have the opportunity impartial practical advice for the most effective solution to a problem. For example, it is clear that the structures that have already begun the process of certification for compliance with requirements of PCI DSS, are on the right path, but what about those who have not taken real steps in this direction? Not if they lost time? Most banks have already started to at least contact the QSA for assistance in achieving compliance with the standard. But for those who have not yet done, now is not too late to embark on such initiatives. Depending on the already existing level of practical compliance with the standard one or other structure can prepare for the audit of PCI DSS at least three months. If, however, require significant infrastructure changes, you may need 1-2 years or even longer. In general, as practice shows, the larger the organization and the more long time it was created, the more it needs time to implement necessary changes to ensure compliance with the Standard.

So, if we talk about Acquiring Banks, they must not only ensure their own compliance with PCI DSS, but also have an additional responsibility for ensuring that work in this direction of its merchant in accordance with the requirement of payment systems. In the exercise of that process credit and financial institu ¬ Niya payment systems are required to report on the status of your merchant in the format required by each of them.

For further information, please visit our website at www.sysnetglobalsolutions.com