There have been a number of security breaches in recent years where credit card companies have found data missing — stolen from a breach in the security systems. In the advent of these occurrences a general standard across the board was brought to the table by major credit card companies VISA and MasterCard.
PCI DSS, or Payment Card Industry Data Security Standard, is a standard guideline that credit card payment handlers refer to when dealing with sensitive credit card payment information. This is considered to be the bar that all credit payment processors and handlers have to live up to or exceed. To meet PCI compliance would insure that the most up to date measures to prevent theft or fraud are current.
The PCI compliance standard has twelve basic security requirements for card data handlers to adhere to:
– Regular testing of their security systems and processes
– Create and maintain an in-house policy for addressing security issues
– Restrict physical access to credit card data and owner’s information
– Have a tracking system to monitor all access to the network and credit card data
– Those who have access maintain and use an unique ID
– Keep a policy that restricts access to a need-to-know basis only
– Routinely run up-to-date antivirus software
– Maintain a sound secure system and application software
– Encrypt cardholder data and sensitive information across the network
– Protect data that is stored
– Create own system passwords, never use the network software’s defaults
– Maintain a sound firewall
Repercussions in a Credit Card Systems Breach
Not only is money lost, or identity theft a major issue, but the company who suffers a security breach is often subject to major losses due to lawsuits and liability claim compensations. There have been instances where the corporations went under due to simply not having proper PCI compliance.
A case example is the information breach at TJX Companies. A flaw in their computer network was taken advantage of by some data thieves. In that case the largest ever credit card data loss incident to date occurred in early 2007. Several million card numbers and card holder names were leaked.
As a result from this, they lost money in fines by the PCI DSS organization and in parties that have vested who have sued them for the loss, such as major shareholder groups.
The most glaring point in disparity with the PCI compliance in this case was that their data was inconsistently encrypted. The thieves found some older card information (dating back several years) and exploited this weakness. This is one of the 12 points listed in the security standards PCI DSS organization laid out.