Financial fraud involving credit cards has been a major component of fraud. Of all financial fraud cases, 40% involve credit card accounts. One out of every ten Americans has been a victim of credit card fraud. Debit card or ATM card fraud is close behind, with 7% of Americans being victims. The problem is not isolated to the U.S., however. Worldwide, credit card fraud accounts for $5.55 billion in fraud losses.
Payment Card Industry Data Security Standard
Realizing the prevalence of card-related fraud, the major credit card companies have each had their own cardholder information security requirements that merchants must follow in order to be eligible to accept credit card or debit card transactions from customers. The requirements of the individual credit card companies were somewhat similar, with a common goal of reducing fraud involving credit and debit cards. These policies helped ensure that merchants were meeting the minimum security requirements as they processed, transmitted, and stored cardholder information.
On December 15, 2004, the credit card companies consolidated their individual policies into one. This new policy was named the Payment Card Industry Data Security Standard (PCI DSS). The policy has undergone a few revisions since its inception
· PCI DSS version 1.1 in 2006
· PCI DSS version 1.2 in 2008
· PCI DSS version 1.2.1 in 2009
· PCI DSS version 2.0 in 2010.
Cardholder Data Environment
The PCI DSS policies all center around the Cardholder Data Environment, or CDE. The CDE includes all people, technology, and processes that process, transmit, or store cardholder data of customers. Cardholder data consists of the primary account number (PAN), or the full magnetic strip, in addition to any of the following pieces of information:
· Name of the cardholder
· Card expiration date
· Service code.
Persons Included In The CDE
The persons comprising the CDE include the merchant or organization that initially acquires credit card information from the customer, as well as organizations involved in the approval of payments, the transferring of funds, and any other entity that comes in contact with cardholder data. For instance, the bank the issues that credit card account, gateway services, funds transferring services, and the bank that issues the merchant account are all part of the CDE. The scope of the CDE goes beyond this, however, and can even include services that provide managed firewalls, or intrusion detection services, and more.
Technology Included In The CDE
The technology included in the CDE is everything from card reading machines and onsite merchant computer hardware and software involved in processing, transmitting, and storing cardholder data, to the servers involved in the transmittal of data. This includes system components such as switches, routers, security appliances, and more. It also includes the hardware and software of organizations that approve and process transactions in behalf of the merchant. Some of the safeguard requirements that apply to technology in the Cardholder Data Environment are:
· Encryption—which is the translation of information into a coded language before transmitting it. The information can then only be translated using a cryptographic key that only a select few people have access to.
· Firewalls—which protect a network from access by unauthorized entities by granting or denying traffic between networks with differing security levels. The criteria for access or denial are custom set.
Reducing Costs For Merchants
Merchants and organizations incur expenses in order to meet the requirements of the PCI DSS. These costs can include PCI compliance audits, securing cardholder data storage, encryption technology, payment application upgrades and maintenance, and more. Merchants can potentially reduce their costs incurred by PCI compliance by
· Limiting the scope of the CDE
· Limiting the storage of card data
· Using secure payment gateways
· Using data tokenization
· Using PCI compliant hosting providers.