Safeguarding the Cardholder Data Environment

Financial fraud involving credit cards has been a major component of fraud. Of all financial fraud cases, 40% involve credit card accounts. One out of every ten Americans has been a victim of credit card fraud. Debit card or ATM card fraud is close behind, with 7% of Americans being victims. The problem is not isolated to the U.S., however. Worldwide, credit card fraud accounts for $5.55 billion in fraud losses.

Payment Card Industry Data Security Standard

Realizing the prevalence of card-related fraud, the major credit card companies have each had their own cardholder information security requirements that merchants must follow in order to be eligible to accept credit card or debit card transactions from customers. The requirements of the individual credit card companies were somewhat similar, with a common goal of reducing fraud involving credit and debit cards. These policies helped ensure that merchants were meeting the minimum security requirements as they processed, transmitted, and stored cardholder information.

On December 15, 2004, the credit card companies consolidated their individual policies into one. This new policy was named the Payment Card Industry Data Security Standard (PCI DSS). The policy has undergone a few revisions since its inception
· PCI DSS version 1.1 in 2006
· PCI DSS version 1.2 in 2008
· PCI DSS version 1.2.1 in 2009
· PCI DSS version 2.0 in 2010.

Cardholder Data Environment

The PCI DSS policies all center around the Cardholder Data Environment, or CDE. The CDE includes all people, technology, and processes that process, transmit, or store cardholder data of customers. Cardholder data consists of the primary account number (PAN), or the full magnetic strip, in addition to any of the following pieces of information:
· Name of the cardholder
· Card expiration date
· Service code.

Persons Included In The CDE

The persons comprising the CDE include the merchant or organization that initially acquires credit card information from the customer, as well as organizations involved in the approval of payments, the transferring of funds, and any other entity that comes in contact with cardholder data. For instance, the bank the issues that credit card account, gateway services, funds transferring services, and the bank that issues the merchant account are all part of the CDE. The scope of the CDE goes beyond this, however, and can even include services that provide managed firewalls, or intrusion detection services, and more.

Technology Included In The CDE

The technology included in the CDE is everything from card reading machines and onsite merchant computer hardware and software involved in processing, transmitting, and storing cardholder data, to the servers involved in the transmittal of data. This includes system components such as switches, routers, security appliances, and more. It also includes the hardware and software of organizations that approve and process transactions in behalf of the merchant. Some of the safeguard requirements that apply to technology in the Cardholder Data Environment are:
· Encryption—which is the translation of information into a coded language before transmitting it. The information can then only be translated using a cryptographic key that only a select few people have access to.
· Firewalls—which protect a network from access by unauthorized entities by granting or denying traffic between networks with differing security levels. The criteria for access or denial are custom set.

Reducing Costs For Merchants

Merchants and organizations incur expenses in order to meet the requirements of the PCI DSS. These costs can include PCI compliance audits, securing cardholder data storage, encryption technology, payment application upgrades and maintenance, and more. Merchants can potentially reduce their costs incurred by PCI compliance by
· Limiting the scope of the CDE
· Limiting the storage of card data
· Using secure payment gateways
· Using data tokenization
· Using PCI compliant hosting providers.

Becoming PCI Compliant

An important part of making your card data environment ready for use is completing a Payment Card Industry (PCI) compliance check. This compliance check is necessary because all organizations that handle credit card information may have security vulnerabilities that they aren’t aware of; a compliance check rigorously screens each organization to make sure that they are in compliance with the most up to date standard. Any organization that processes, transmits, or stores credit card and debit card information has to meet PCI compliance standards.

About PCI Compliance

In 2006 the Payment Card Industry Security Standards Council was created to enforce a standardized code of security measures. These measures must be in place by any organization handling credit card information. The standards are intended to make the transmission of sensitive financial information more secure for customer, merchant, payment processing company, and authorizing banks.

Who Needs to Comply?

Any organization or enterprise that accepts credit cards or debit cards has to be in complete compliance with PCI standards. Regardless of how frequently a payment is made with a credit card, an organization must still have a fully secure system.

Becoming Compliant
There are five steps that any organization must complete before their PCI compliance status goes into effect.

The validation type of the organization must first be determined. These types are outlined by the PCI DSS (Payment Card Industry Data Security Standard); to determine your type you can refer to the compliance standard or ask your compliance consultant. An assessment questionnaire can also be used.

Once the organization’s validation type has been determined, the organization then must pass a vulnerability scan. This scan tests the system the organization has in place to see if it meets compliance standard; the scan must be performed by an authorized PCI SSA Approved Scanning Vendor. Not every organization will need to have a vulnerability scan completed; only merchants of particular validation types will need to have this scan conducted.

When the scan has been completed and any vulnerabilities within the system identified and repaired, then an Attestation of Compliance can be completed. This document outlines the vital information related to the vulnerability scan and includes any additional documentation required for compliance. Assessment questionnaires, scan results, Attestation of Compliance, and all other required documents are then submitted to the acquirer.

Support at Each Step
Each step of the PCI compliance process must be completed before moving on to the next. At any point there is the possibility that corrections will need made; as the process goes on, the costs associated with completing it can rise. A compliance consultant can be very helpful to organizations looking to keep their compliance costs down. Consultants can help you identify which validation type your organization is and provide guidance through the assessment process.

PCI compliance is a necessary part of doing business though the compliance process doesn’t have to cost too much. Becoming educated about what compliance entails and speaking with a consultant can help you successfully complete this important requirement.

PCI Host offers a Free PCI Hosting Consultation that may be invaluable to you in moving forward.