Most of us are familiar with some of the recent security breaches in which consumers’ credit and debit card data were hacked and stolen. Perhaps the most infamous, the 2003-2004 theft of data from the TJX family of stores (Marshalls, TJMaxx and others) resulted in the theft of at least 45 million credit and debit card numbers and ultimately cost the company an estimated $9.75 million in legal fees and settlements. Essentially, TJX employed an insecure and antiquated encryption standard that hackers were able to wirelessly access from the parking lots of two Marshall’s locations in Miami. While the company was not found to be in violation of any laws in its failure to safeguard sensitive customer data, it was deemed to have failed to comply with a number of soon-to-be-adopted Payment Card Industry Data Security Standard (PCI DSS) guidelines.
Introduced in 2004, and periodically updated, the Payment Card Industry Data Security Standard is the brainchild of a confederation of institutions – Visa, Mastercard, Discover, American Express and JCB – to provide a common set of policies that define how to process, transmitand store credit card information securely. The standards apply to all retailers that accept credit/debit cards for payment, with merchants falling into one of four tiers, based on their volume of card transactions.
In short, the objectives of the standards are to:
• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy
After completing a questionnaire to determine which level a merchant falls within, retailers are typically required to pass periodic vulnerability scans. The standards apply to both Point of Sale (POS) transactions as well as internet-based e-commerce transactions. Enforcement of compliance is the responsibility of the individual credit card brands, who may issue fines to their member banks, which may in turn pass the fines on to the offending retailer.
The PCI DSS guidelines are a separate and distinct standard from the Luhn algorithm. The Luhn algorithm is used to validate credit card or other numerical IDs to ensure that they are valid numbers and not simply a random sequence of digits. It is not designed as an encryption tool or a means to prevent unauthorized access. For a more thorough discussion of the Lund algorithm, see http://en.wikipedia.org/wiki/Luhn_algorithm.
PCI DSS is not without its critics. Complaints include accusations that the standards allow the card companies to issue fines and penalties against non-compliant entities, even in cases where no evidence of fraud exists. Others complain that the standards are essentially subjective, inherently inconsistent, confusing and altogether too expensive to implement, particularly for small retailers.
Proponents of the standards argue that at least they are a step in the right direction by forcing retailers to think about and take security seriously, thereby protecting themselves, the financial institutions and – ultimately – the privacy and protection of the consumer.
Check out Sherpa Software’s solutions for electronic data management and compliance.