Safeguarding the Cardholder Data Environment

Financial fraud involving credit cards has been a major component of fraud. Of all financial fraud cases, 40% involve credit card accounts. One out of every ten Americans has been a victim of credit card fraud. Debit card or ATM card fraud is close behind, with 7% of Americans being victims. The problem is not isolated to the U.S., however. Worldwide, credit card fraud accounts for $5.55 billion in fraud losses.

Payment Card Industry Data Security Standard

Realizing the prevalence of card-related fraud, the major credit card companies have each had their own cardholder information security requirements that merchants must follow in order to be eligible to accept credit card or debit card transactions from customers. The requirements of the individual credit card companies were somewhat similar, with a common goal of reducing fraud involving credit and debit cards. These policies helped ensure that merchants were meeting the minimum security requirements as they processed, transmitted, and stored cardholder information.

On December 15, 2004, the credit card companies consolidated their individual policies into one. This new policy was named the Payment Card Industry Data Security Standard (PCI DSS). The policy has undergone a few revisions since its inception
· PCI DSS version 1.1 in 2006
· PCI DSS version 1.2 in 2008
· PCI DSS version 1.2.1 in 2009
· PCI DSS version 2.0 in 2010.

Cardholder Data Environment

The PCI DSS policies all center around the Cardholder Data Environment, or CDE. The CDE includes all people, technology, and processes that process, transmit, or store cardholder data of customers. Cardholder data consists of the primary account number (PAN), or the full magnetic strip, in addition to any of the following pieces of information:
· Name of the cardholder
· Card expiration date
· Service code.

Persons Included In The CDE

The persons comprising the CDE include the merchant or organization that initially acquires credit card information from the customer, as well as organizations involved in the approval of payments, the transferring of funds, and any other entity that comes in contact with cardholder data. For instance, the bank the issues that credit card account, gateway services, funds transferring services, and the bank that issues the merchant account are all part of the CDE. The scope of the CDE goes beyond this, however, and can even include services that provide managed firewalls, or intrusion detection services, and more.

Technology Included In The CDE

The technology included in the CDE is everything from card reading machines and onsite merchant computer hardware and software involved in processing, transmitting, and storing cardholder data, to the servers involved in the transmittal of data. This includes system components such as switches, routers, security appliances, and more. It also includes the hardware and software of organizations that approve and process transactions in behalf of the merchant. Some of the safeguard requirements that apply to technology in the Cardholder Data Environment are:
· Encryption—which is the translation of information into a coded language before transmitting it. The information can then only be translated using a cryptographic key that only a select few people have access to.
· Firewalls—which protect a network from access by unauthorized entities by granting or denying traffic between networks with differing security levels. The criteria for access or denial are custom set.

Reducing Costs For Merchants

Merchants and organizations incur expenses in order to meet the requirements of the PCI DSS. These costs can include PCI compliance audits, securing cardholder data storage, encryption technology, payment application upgrades and maintenance, and more. Merchants can potentially reduce their costs incurred by PCI compliance by
· Limiting the scope of the CDE
· Limiting the storage of card data
· Using secure payment gateways
· Using data tokenization
· Using PCI compliant hosting providers.

Reducing the Costs of PCI Compliance

PCI DSS is also known as the “Payment Card Industry Data Security Standard”. It is a set of rules and regulations set in place to make sure that every business that processes, stores, or transmits electronic payment and credit card information does so using a secure manner. Annual validation is necessary for a business to maintain its PCI compliance. The purpose of the PCI DSS compliance regulations are to decrease the risk of exposing consumer credit card information to credit card fraud.

The Costs of PCI DSS Compliance

It is a requirement of the PCI DSS specification that businesses that accept credit card payments effectively utilize data security protocols to help prevent cardholder exposure to credit card fraud. The costs incurred by a business for PCI compliance may include (but are not limited to) costs for securing cardholder data storage, on-premise payment applications, establishing and implementing encryption technology, key management technology, PCI compliance audits, payment application upgrades, and payment application maintenance.

How to reduce the cost of PCI Compliance

Limit the Scope of the Card Data Environment
By isolating systems that house credit card data, you can limit the scope of the card data environment and reduce costs. In this way professional PCI Compliance Consultants can be very valuable in helping you limit your responsibility and cost.

Limit the Storage of Card Data
In fact best practice and PCI compliance recommends that merchants do not store card data at all. This removes from your systems the primary target of cyber threats as they relate to PCI Compliance standards.

Utilize Secure Payment Gateways
Providing a secure payment gateway is the first step in preventing credit card payment data from compromise. Keeping the transaction secure from beginning to end will help keep costs down and reduce your risk of crippling fines.

Consider Data Tokenization
Data Tokenization is used to maintain PCI compliance by replacing sensitive credit card data with a “coded” substitute. Using data tokenization can help to lower PCI compliance costs by reducing a business’ scope of compliance.

Utilize a Secure, PCI Compliant Hosting Provider
If your business accepts transactions online, it is incredibly important that your website be backed by a highly secure, PCI compliant hosting provider. This goes a long way to ensure that your business will be able to complete transactions in a secure and safe environment.

Reducing PCI Compliance Costs – Conclusion

The costs of PCI compliant hosting are a necessary expenditure for accepting credit card payments and conducting business online. Without appropriate PCI DSS Compliance in place, your business is left wide open to enormous fees that may be imposed in the event that your systems are compromised and cardholder data is exposed.

Most business research agrees strongly that the cost is justified, because the cost of leaking secure customer credit card data is far greater than the cost of PCI compliance. However, even though the cost of PCI compliance is necessary and justified does not mean the cost must be tremendous.

To help lower your PCI compliant hosting costs it is adviseable to speak with a professional in this area. For your benefit PCIHost.com offers a free consultation for anyone considering the need for PCI DSS compliant solutions of any kind.