Earlier this year, Visa and Mastercard jointly established the Payment Card Industry Data Security Standard (“PCI-DSS”). PCI-DSS was established in order to safeguard cardholder data and prevent identity-theft based on stolen credit card information.

Currently, PCI-DSS is a voluntary standard that the payment card industry has chosen to impose on its affiliated merchants as a condition for participation in card programs. Merchants participating in card programs must have their compliance with this standard validated on an on-going basis. Participating merchants who fail to comply can be assessed monetary penalties and lose their ability to participate in card programs.

The PCI-DSS is composed of 12 discrete requirements, which are summarized below. Basically, these requirements force merchants to develop a secure network and continually take steps to ensure that the security of the network remains intact.

I. Developing Secure Network

• Install and maintain a firewall configuration to protect data. A firewall must be installed on the company’s computer network that will prevent unauthorized access to stored cardholder data from both outside and inside the company’s network. Public access to system components storing cardholder data must also be limited. Additionally, steps must be taken to ensure that internal IP addresses are not revealed to outside Internet users.
• Do not use vendor-supplied defaults for system passwords and other security parameters. Vendor-supplied default passwords and security parameters must be changed before a new system is installed on the secure computer network. System components should also be configured to minimize security vulnerabilities.
• Protect stored data. Cardholder data must be protected by minimizing the amount of data stored on the network and by storing retained data in encrypted formats. The data storage amount and the data retention time should be the minimum necessary for business, legal, and regulatory purposes. While this data is stored on the computer network, the data must be rendered unreadable through encryption and access to encryption keys should be strictly limited.
• Encrypt transmission of cardholder data and sensitive information across public networks. Cardholder data must be encrypted during transmission over the Internet.
• Use and regularly update anti-virus software. Anti-virus software must be used on all computer servers and desktop computers to protect the company’s computer network from harmful attacks. The anti-virus software must be current, actively running, and capable of generating audit logs.
• Develop and maintain secure systems and applications. Computer network security vulnerabilities must be continually re-evaluated and addressed. The company must establish a process for identifying newly discovered security vulnerabilities, such as subscribing to industry security alert services. For certain types of systems, the company must install the latest vendor-supplied security patches within one month of release. Additionally, the company should follow control procedures for all system and software configuration changes to ensure that these changes do not introduce hard-to-correct vulnerabilities to the system.
• Restrict access to data by business need-to-know. Only allow individuals to have access to cardholder information if those individuals need the access to fulfill their job functions. In certain instances, the company must establish a mechanism to permit each user to only access the information on the system necessary for that individual’s job-related activities.
• Assign a unique ID to each person with computer access. Each person with access to the computer network and cardholder data must be given a unique username. To ensure unique identification, all users must also authenticate their identification through a secondary method. The company must implement security protocols to ensure that password integrity is not compromised.
• Restrict physical access to cardholder data. The company must restrict physical access to cardholder data and systems that store cardholder data so that unauthorized removal of systems or hardcopies of stored data does not occur. Access to data should be controlled by physically securing all paper and electronic media that contain cardholder information. In addition, this provision proscribes requirements for inventorying, labeling and transferring the data.
• Track and monitor all access to network resources and cardholder data. The company must establish a mechanism to link all system access and activities to individual users through a system activities log. The system should automatically create audit trails for all individual user access of cardholder data and other system activities that could indicate tampering attempts.
• Regularly test security systems and processes. Security controls and network restrictions must be tested routinely to ensure they can identify and stop unauthorized access attempts. Network vulnerability scans must be conducted at least quarterly, and attempts to penetrate the network must be conducted at least once a year. Vulnerability scans and network penetration tests should also be conducted after any significant infrastructure or application modification.
• Maintain a policy that addresses information security. The company must establish and maintain a security policy that addresses all the requirements of the PCI-DSS. The security policy should clearly define information security responsibilities for all employees and contractors so that they are aware of the sensitivity of the data and their responsibilities for protecting it.

II. Validation Requirement

In addition to taking the steps necessary to meet the PCI-DSS requirements, merchants participating in card programs must have their compliance with this standard validated on an on-going basis. Participating merchants who fail to comply can be assessed monetary penalties and lose their ability to participate in card programs.

There are three different methods that can be used by merchants to validate compliance: Annual On-Site Security Audit, Quarterly System Perimeter Scan Report, and Annual Self-Assessment Questionnaire. The combination of validation methods that a merchant must use depends on the number of transactions that the merchant processes annually. Large merchants (more than 6,000,000 annual transactions) must perform an annual audit and quarterly perimeter scans.

Medium-sized merchants (20,000 to 6,000,000 annual transactions) must perform quarterly perimeter scans and fill out the annual self-assessment questionnaire. Small merchants (less than 20,000 annual transactions) are not currently required to complete any validation method, but the industry recommends that they perform the quarterly perimeter scans and the annual questionnaire.

Proposed Legislation

As stated earlier, PCI-DSS is currently a voluntary standard that the payment card industry has chosen to impose on its affiliated merchants as a condition for participation in card programs. Various pieces of proposed congressional legislation would mandate more stringent regulation of the collection and dissemination of personal information obtained from consumers.

While much of this legislation focuses on providing consumers the ability to prevent companies from selling or passing on their personal information, some legislation also focuses on preventing the unauthorized disclosure of personal information.

Anthony Lupo
202-857-6353
lupo.anthony@arentfox.com

Sarah Bruno
202-775-5760
bruno.sarah@arentfox.com