Source: http://www.pcicomplianceguide.org/step2a.html
Step 2: Finding The PCI DSS Merchant, Service and Compliance Level
Should Your Organization be Concerned about PCI Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) applies to every organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data.
If you are one of the above, PCI Compliance is not a request, or suggestion, it is now a requirement.
However, according to the PCI DSS documentation, “PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.”
By the end of 2007, any organization that accepts payment card transactions must be in compliance with the standards.
Credit card companies and acquirer banks can levy stiff fines and remove the merchant’s ability to process credit card transactions until the merchant is PCI compliant.
Basic rules on PCI DSS compliance:
PCI DSS compliance includes merchants and service providers who accept, capture, store, transmit or process credit and debit card data.
As of September 2006, PCI DSS 1.1 includes 12 major requirements. A single violation of any of the requirements can trigger an overall non-compliant status.
Each non-compliant incident will result in steep fines, suspension and revocation of card processing privileges.
In a recent PCI Webinar hosted by Imprivata software and Forrester Research, Khalid Kark said that questions concerning how to determine whether a service provider needs to be PCI DSS compliant are very common.
“I get these questions all of the time,” he commented.
“The rule of thumb is this: If you house credit card information, in whatever form, if you house the information in your server-the server that you own or you added-then you are basically responsible for complying with PCI DSS,” Kark stated.
Even with a uniform standard for compliance, since the PCI DSS Standards Council instituted the new security standards, evidence suggests that there has not been a huge rush to comply. Many organizations have started to comply or audit in certain areas, but overall numbers seesaw depending on the each merchant level.
From data collected by Visa, in 2006 only 18 percent of Level 1 merchants-merchants with 6 million or more Visa transactions per year-were compliant with PCI DSS, as opposed to the 35 percent who are currently PCI compliant in 2007.
Another 51 percent have completed a report concerning where they are in terms of compliance, and 93 percent of the responding merchants certified that they are not storing PIN numbers, card verification numbers and other stored credit card data.
Only 26 percent of Level 2 merchants-merchants with 1 to 6 million Visa or MasterCard transactions per year-are PCI compliant at this time, but Level 3 merchants-merchants with Visa or MasterCard transactions totaling 20,000 to 1 million-have a higher level of compliance at 51 percent.
According to information gathered by Kark and Forrester Research, though organizations are spending a lot of money to become PCI compliant, it still is taking a long time for the organization to actually see the benefits of that compliance.
“We’ve found that over years, typically there is one year there is a push to get spending, or to have spending in terms of a specific regulation,” Kark explained.
“In 2005, for government, it was VISMA [government compliance program] and there was a lot of spending in terms of getting the controls in place, getting the technology in place, and so on, and in 2006 we saw a similar trend in the retail industry where the retail industry spent a lot of money in terms of getting compliant with PCI.”
Continuing, Kark said that implementing a PCI DSS compliance program is still a lengthy process.
“Once you start implementing technologies, once you start investing in security controls, then it takes a couple of years from implementation to realize the benefits of that spending,” he said.
“And to be able to get to the fact of ‘well, yes we are compliant completely, and yes we spent the money a couple of years ahead of time, but then we needed to put in processes and other things that we’re kind of realizing the benefits of that spending.’”
From surveys conducted by Forrester Research, Kark believes that most companies will be compliant with PCI DSS within the next 6 to 12 months.
“That may be a little late for some companies, but that is the data that we find, at the moment,” Kark said.
But just because an organization is currently PCI DSS compliant right now, does not mean that it will continue to be compliant indefinitely. Compliance to the PCI DSS rules will continue indefinitely, as new technologies and new ways of hacking personal data continue also.
“In general, compliance is 100 percent, but it’s a certain point in time, so if you are compliant today, it doesn’t necessarily mean you will be compliant tomorrow,” Kark said.
“Being compliant means that at the time of the audit you [organization] were PCI compliant to 100 percent of the requirement in respect to whoever the auditor was…it’s the auditor that makes the judgment, but it may not really remain 100 percent throughout.”
Suggested Links
https://www.pcisecuritystandards.org/
http://www.forrester.com/rb/
