PCI Compliance: What Is It, and What\'s New?

If you are a merchant or service provider accepting credit or debit cards for payment, you need to be aware of the current regulations associated to the handling and processing of customer information.


What is PCI?

Since 2005, major credit card brands have required that merchants and service providers of all sizes involved with the collection and processing of credit card transactions be fully compliant with the Payment Card Industry Data Security Standard (PCI DSS). Organizations that are still not compliant are expected to be actively working on achieving compliance. Those that don't make satisfactory progress are subject to penalties that can include substantial fines and the cancellation of processing contracts.

PCI DSS is a collection of standards designed to reduce the possibility for account data compromise and related fraud involving payment cards, like major credit and debit cards. These standards are managed by the PCI Security Council, which in turn is managed by an association of the major credit card brands (Amex, Discover, JCB, Master Card, and Visa). Managing compliance is the job of the member brands and is enforced contractually as well as by your Acquirer (your transaction processor).

Organizations are categorized by the type of payment processing they perform, the volume of transactions or accounts processed, and the payment channels used. Merchants that take payments as well as service providers that process credit card information are grouped in levels based on these secondary factors.

Note that PCI standards extend to payment applications and payment terminals. Organizations looking to implement new payment applications or payment terminals should be aware of the Payment Application Data Security Standard (PA-DSS), which applies to 3rd party payment applications, as well as of PIN Transaction Security (PTS) hardware standards for PIN entry Devices (PEDs). (Merchants and Service Providers should leverage the list of compliant applications and hardware as a purchasing/leasing tool. See reference links [2] and [3] below.)


What's New in PCI?

PCI regulations have evolved and continue to be updated. In the meantime, deadlines for achieving compliance are looming. Here's what to look for in the next 12 - 18 months:


Currently:

  • Organizations not yet compliant are being asked to complete and file quarterly progress updates against the PCI Prioritized Approach document. Smaller merchants not making progress may be fined if they were formally notified of their responsibilities by their Acquirer more than 1 year ago.
  • Newly signed merchants and service providers using 3rd party payment applications must use PA-DSS compliant versions to process transactions. Although this is being enforced by the Acquirers, many payment applications have escaped notice until recently and vendors are now scrambling to certify. [1]

2010:
  • By July 1st: All merchants and service providers with 3rd party payment applications must use PA-DSS compliant versions to process transactions. [1]
  • By September 30th: All Level 1 merchants must demonstrate full compliance through an on-site audit and Report on Compliance with a certified PCI Qualified Security Assessor. Fines for non-compliance are expected to begin in October. [4]
  • By September 30th: All Approved Scanning Vendors (ASVs) will be changing their processes to comply with new requirements. While the method of scoring and assessing vulnerabilities will not change, there are additional disclosures, special notes, and attestations required by the new processes. Additional effort on the part of merchants and service providers is expected. Finally, the ASV scans will now require a web application vulnerability phase and is expected to find many previously undetected PCI failures. [7]
  • By October 1st: Publication of the bi-annual update of the PCI DSS standard (version 1.3). Expect clarifications and some new PCI requirements. [5]

2011:
  • By January 1st: PCI DSS version 1.2.1 and earlier become obsolete. All assessments must use the newly updated DSS. [5]
  • By June 30th: Level 1 merchants conducting their own on-site audits must use internal auditors that train and pass PCI SSC merchant training annually. [6]
  • By June 30th: Level 2 merchants must either have an on-site assessment completed by a QSA or if completing the self-assessment questionnaires must use staff that train and pass PCI SSC merchant training annually. [6]

How can Primus Managed Hosting help?

Primus is a Certified Level 1 PCI service provider for its 7 Canadian Internet Data Centre facilities.

Using a certified hosting provider avoids complex and time consuming effort at the start of the project. If your hosting provider isn't certified, then under the standard, the onus lies with your organization to either audit the premises according to the standards or to employ an organization to do this on your behalf.

Your responsibility for the non-infrastructure aspects of compliance, such as implementing a corporate security policy and ensuring that your employees are trained on proper cardholder data handling is much easier when the technical infrastructure aspects are already being addressed on your behalf by the Primus team.

Working with each customer, Primus can ensure a safe, compliant and successful hosting experience. Knowing and understanding what PCI compliance is and who is responsible for which parts will lead to even more success for all involved in the process.

It also means that the people, money and time that you'd rather dedicate to your customers will not be spent creating, implementing and managing the tools and technologies that you need to stay compliant.