PCI-DSS EXPLAINED

If you are a store owner, are you sure you aren't liable for a $500,000 fine? If you are not sure then you should check your compliance with PCI-DSS requirements. . The Payment card industry data security standards, or PCI DSS are a set of guidelines proposed by the PCI Security Standards Council back in 2004 to maintain payment card safety and fight fraud. In order for a retail system to be classified as PCI compliant, and thus authorized to process payment cards, it must follow the guidelines outlined in PCI DSS. There are two versions of DSS, and the latest one, 1.2 comes in effect in just a month. The requirements are the same across North America.

Merchants must be fully compliant to PCI DSS 1.2 standards by July 1, 2010. However, assessments done in version 1.1 are still valid until that day. From that point on, an annual self assessment quiz is required and a quarterly vulnerability test is recommended to be performed by a supplier. If a failure to comply is detected when a case of credit card fraud occurs, the merchant will be subject to the $500,000 fine.

Microsoft Dynamics RMS is only compliant from version 2.0 SP2, so if an RMS user  is running RMS 1.2-1.3, or the early version of 2.0 prior to SP2, now's a great time to upgrade.

PCI compliance goes further than just the software that is installed on the computer, as outlined in the 12 points of PCI compliance (listed below). Your entire store must be secure from hijacking, and both physical and digital data must be properly secured. This includes such basic security measures as setting up a firewall, encrypting data and safely storing forms containing credit card numbers in a locked cabinet. But the software still remains the most critical point.

The push for PCI standards is a response to an increase in credit card fraud. When a credit card is swiped, all of the data that can be found on the face (such as cardholder name, card number and expiration date) turn up as a string of raw, unencrypted text. These strings of information are extremely vulnerable, and can be copied from a hard drive if poorly stored on the disk, stolen at break-in or even condensed from a wireless network. To prevent this, The PCI announced 12 requirements for business and software that must be followed in order to use payment cards:

• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks
• Use and regularly update anti-virus software
• Develop and maintain secure systems and applications
• Restrict access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security