Merchants 5 Step Guide
To PCI Compliance

   Step 1: An Introduction to PCI Compliance

   Step 2: Finding PCI DSS Level

   Step 3: Security Audits: 12 Requirements

   Step 4: Finding a PCI DSS Approved Scanning Vendor (ASV)

   Step 5: Completing the PCI DSS Self Questionnaire


 ISO / Acquirers 5 Step Guide
To PCI Compliance

   Introduction

   Step 1: Engage all resources

   Step 2: Identify and confirm a partner

   Step 3: Make your merchants aware of PCI Compliance

   Step 4: Supply tools to merchant

   Step 5: Implement and track

   Other considerations


 PCI COMPLIANCE
INFO

   New PCI Compliance 1.1 Standards

   PCI Compliant Basics

   PCI Compliance & Consumers

   Implementing PCI Compliance

   PCI Compliant Scan

   Further PCI Compliance Resources

   PCI Compliance Polls & Surveys


 PCI COMPLIANT
VENDORS

   Find PCI Scan Vendors

 About Us

   Contact Us

   PCI Compliance News

   SiteMap

   SSL Certificate

   EV SSL Certificate Guide







PCI DSS: Five Guidelines for Gaining PCI Compliance

Step 1: An Introduction to PCI Compliance

Question: What can happen to you and/or your organization, if you fail to implement or adhere to, the Payment Card Industry Data Security (PCI DSS) compliance rules?

Answer: Ask TJX Companies Inc. (TJX).
Currently, the company-owner of T.J. Maxx and Marshall's department stores and other stores in North America and the United Kingdom-faces more than a dozen class action lawsuits in Alabama, California, Massachusetts, Puerto Rico and six Canadian provinces, for what has been hailed as the single largest data breach in United States history.

TJX revealed in March 2007 that hackers compromised at least 45.7 million credit and debit cards. From July 2005 until the discovery in December 2006, the bandits penetrated a supposedly secure network environment.

In a regulatory filing made with the Securities and Exchange Commission (SEC) after the violation, TJX stated that its computer systems were first hacked in July 2005 by one or more intruders who accessed information from customer transactions dating back to January 2003. TJX officials said that they didn't find out about the breach until about three months ago.

More troubling, however, is the fact that TJX believes that the hackers had access to the decryption tool for their encryption software, making PIN numbers, credit card numbers, and any other unique identifiers easy to see. The SEC filing also said another 455,000 customers who returned merchandise without receipts had their driver's license numbers stolen.

At this time, TJX is not sure whether it was a single breach, or multiple intrusions. The ripples of this breach are far reaching, including the addition of TJX's acquirer-Cincinnati-based Fifth Third Bancorp-as a defendant in some of the lawsuits. The bank processed some payment card transactions for TJX. TJX and its acquirer are not alone in not being cognizant of potential holes in their security systems, as there have been many examples of breaches that have compromised confidential information across several business sectors in the last decade alone. "Companies like LexisNexis, Citibank, ChoicePoint have all had breaches," says Khalid Kark, senior security analyst with Forrester Research. Kark is a leading expert in Security and Risk Management, compliance, best practices, and services.

"The issue is that it's not that the company doesn't have good security, it's just that they haven't really put in all of the effort and the time to understand all of the areas of threat and try to protect against those."

In order to address the threats to credit card information, the PCI Security Standards Council (PCI SSC) was formed in September, 2006.

Even with the guidelines, many organizations have not opted to pursue PCI Compliance, even when they may know that they need to be.

At the same time Visa U.S.A projects that 65 percent of all merchants will be PCI compliant by the end of 2007, and stiff penalties that target acquirers is one tool that the PCI SSC.

If an organization doesn't know that they need to be PCI compliant, or if an organization just doesn't want to be bothered by having to obtain PCI compliance, it soon will not matter. The goal is to have all merchants, regardless of their merchant level, compliant with PCI DSS.

"Being PCI compliant is a smart business decision, as far as securing their [merchants] Web property and Intellectual property," said Richard Stanton, CTO of ControlScan-a leading Internet security solutions company.

"With data being stored virtually, in accessible areas, PCI standards are set up to help businesses with better practices," he continued. "These better practices can begin with 'hey, do you have a lock on your door?' to 'do you have scanning procedures in place?'…being PCI compliant, without being forced to do it, just makes good business sense, period."



pci compliancePrint this page

Send this page to a friend

PCI DSS: 5 Guidelines for Gaining PCI Compliance

Step 1: An Introduction to PCI Compliance Step 2: Finding The PCI DSS Merchant, Service and Compliance Level Step 3: Attaining PCI DSS Compliance-Merchant Step 4: Finding a PCI DSS Approved Scanning Vendor (ASV) Step 5: Completing the PCI DSS Self Questionnaire
PCI Compliance Polls

Are you currently PCI Compliant?
Yes
No
Working towards compliance

Why are you looking at PCI Compliance
Required By Credit Card Processor
Required By Bank
Want to meet industry standards
Looking to secure network

What merchant level do you fall under for PCI Compliance?
Level 1
Level 2
Level 3
Level 4
I have no idea
View PCI Merchant Level Results
View All PCI Compliance Poll Results

EV SSL Certificate Guide

Sponsored Listing:

|  Home  |  About PCI Compliance |  For Acquirers |  Find PCI Compliance Solutions | 
|  Preventing Data Breaches |  Managing Data Breaches |  Contact Us |    EV SSL Certificate Guide | 
© 2008 PCI Compliance Guide.org
   All right reserved - do not copy any material without written permission.