Security Tips
Fritz Young
Feb. 27, 2009
Is PCI Compliance a Law? Should it be?
Is PCI compliance a law? The short answer is no. The long answer is that while it is not currently a federal law, there are state laws that are already in effect (and some that may go into effect) to force components of the PCI Data Security Standard (PCI DSS) into law. In addition, there is a big push by legislatures and industry trade association to enact a federal law around data security and breach notification.
In 2007 Minnesota established the “Plastic Card Security Act” which states that any company that is breached and is found to have been storing “prohibited” PCI data (e.g., magnetic stripe , CVV codes, track data etc) are required to reimburse banks and other entities for costs associated with blocking and reissuing cards. This law also opens up these companies to private lawsuits. Currently, the law does not affect Level 4 merchants (less than 20,000 transactions a year).
Recent Articles
Security vs. PCI Compliance
Reading accounts of highly publicized data breaches over the last few months occurring in companies that are seemingly PCI compliant, begs the question, “does PCI compliance equal security?” The answer is, “it depends.” Unfortunately no business is ever completely secure, but companies can mitigate their risk and make it much harder and more resource intensive for anyone to breach their defenses.
What Constitutes a Payment Application?
Companies frequently ask us about what constitutes a payment application as it relates to PCI Compliance. The term payment application has a very broad meaning in PCI. So hopefully the content of this brief article will help clarify the subject and better define the term.
Web Application Security – How do you know which Solutions will work best for your Business?
If you must store credit card data or you are interested in strengthening your current security practices, it is important to focus attention on your Web applications.
