There are only a handful of days left for companies to become compliant with section 6.6 of the PCI DSS and there are even more scare-tactics being tossed into the marketplace. Compliance should not be feared, as we all know the penalty is what can be the most costly (see TJX). So what can you do to step up your compliance? Here are a few tips from around the web.

Security Ninja offers up these four tips:

1. Manual review of application source code
2. Proper use of automated application source code analyzer (scanning) tools
3. Manual web application security vulnerability assessment
4. Proper use of automated web application security vulnerability assessment (scanning) tools

On Tray Ford’s blog, there is mention of a supplement that was released to help clarify 6.6. It is used as a tool to help understand the requirement, although “in no way replaces or supersedes Requirement 6.6 in the Data Security Standard.”

Finally, I took to YouTube to find some helpful information about PCI and I stumbled upon the videos below.

Eleven days remain for companies to make sure their web-facing applications and websites are PCI Compliant according to section 6.6. Authoring the PCI Compliance blog series I often look up interesting websites for insights and quotes, although for this part in the series I can pretty much look inward at our own solutions.

The general thought is that by June 30, most of the companies who need it will fail to comply with section 6.6. The sad reality is the quick fix mentality will lead to many of the compliance issues, as application firewalls only place a Band-Aid on the gaping wound that is poor code development. So will your website be compliant? [The Tech Herald]

E-xact recently launched Web Secure Pay, which is a fully compliant way of having your website visitors complete transactions without ever leaving card data behind. Customers and clients stay within the confines of your website then when it comes time for transaction is processing they are passed through our secure systems and brought back to your online environment seamlessly.

We’ve also produced step-by-step screencasts featuring everything from implementation to the code that drives our intuitive transaction processing manager.

Section 6.6 is about looking at the code AND the application itself. It’s no secret that our application runs smoothly with Ruby on Rails, which allows for a slick interface while remaining secure with its tight and compliant code. You can view more detailed screencasts involving implementation and processes on our Viddler profile and click here to find out more about WSP.

The PCI DSS section 6.6 compliance deadline is merely 12 days away, here are some more thoughts about this regulation.

Over on the ModSecurity Blog they closely examine this portion of 6.6:

“6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
• Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
• Installing an application layer firewall in front of web-facing applications.

Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement.”

As you can see, the goal of this section is to show that not only were vulnerabilities identified but that they were also fixed. So whether or not the vulnerabilities were identified by source code review or a scanner does not seem to be the main issue from PCI but rather was the vulnerability actually fixed??? It is the process of actually remediating the vulnerabilities that is taking entirely too long for organizations, if it happens at all. I mean, how many times does an Authorized Scanning Vendor (ASV) find the exact same vulns showing up in scan after scan? They are quickly showing the customer what/where the problems are but they just can’t fix them for a variety of reasons. [Read more... ModSecurity Blog]

VeraCode looks specifically at the semantics of the requirement:

Requirement 6.6 of the PCI-DSS becomes mandatory in June 2008 and requires all web-facing applications to either undergo a code review OR be protected by a web application firewall. There were questions on what “web-facing” means, and the Council admitted that it needed rewording. This could be interpreted as any application using HTTP as a transport mechanism, or it could mean only those applications that were Internet-facing. It sounded as if they meant the latter, but they did not say so outright which was confusing. Web services applications would also be within scope. [Read more... VeraCode]

On Search Security they drill home the high complexity of 6.6:

Section 6.6 is the most difficult and controversial part of the PCI DSS. It calls for either a review of all Web application code developed in-house, or the installation of an application layer firewall to protect all Web applications from known attacks. This puts most companies in a difficult position. [Read more... SearchSecurity]

And with a helpful twist, SearchQualitySoftware offers this advice:

…the simplest, least-expensive, and most reasonable way to satisfy PCI DSS Requirement 6.6 application code reviews is to perform automated scanning and manual testing of the application. Do them from the perspectives of both an untrusted outsider and a trusted user. [SearchQualitySoftware]

Section 6.6 is indeed unique as it brings to light the very real challenges that every connected company must face regarding web security. You can read more about section 6.6 on the PCI DSS website and in this supplement PDF.

PCI deadlines for compliance seem to be catching up with merchants all the time. Standards adapt, upgrade and tighten for greater security imposing compliance on businesses. The latest compliance deadline is June 30, 2008 and the PCI blog world is buzzing about what this all actually means (there’s even a countdown clock that you can put on your website).

PCI Blog - Compliance Demystified: “What does it mean? In order to understand this you have to take my Attack Vector based Risk Management (AVRM) approach towards the intent behind this requirement. One could easily reference that the intent behind this requirement is to prevent Internet-facing web-application compromises and you would be correct, but also missing the deeper meaning and back story.

Although card-present (typically IPOS) systems account for a greater number of credit cards stolen, about half of all account compromises are a result of web-application data breaches. Of this population, about 90%+ of the data compromises are a result of the top 5-10 web-application vulnerabilities. These include, but are not limited to, SQL injection, cross-site scripting, cross-site request forgery (CSRF) and other input/output validation issues. Knowing this you can now imagine that if we could mitigate the risk of these top attacks we could reduce the population of credit card data breaches by almost half!

This standard is focused on web-applications that process transactions, which is basically right up our alley. Finding the proper (and secure) web-application for your merchant needs can be difficult and you’ll certainly want to find one that meets PCI DSS 6.6 by the end of this month.

We are pleased that E-xact has been fully PCI compliant over the last several years and remains as such.

You can find more information on the official PCI DSS website and feel free to contact us to discover ways that E-xact can alleviate your security risks when using our payment management solutions.

VANCOUVER, BRITISH COLUMBIA- E-xact Transactions Ltd. (TSX VENTURE:EXZ) (www.e-xact.com), a leading provider of advanced payment gateway solutions, is pleased to announce that it has once again achieved full compliance with the Payment Card Industry (PCI) Data Security Standard (DSS).

Being PCI compliant assures that E-xact can offer payment solutions for merchants to manage their transactions online with our Realtime Payment Manager application, RPM.

PCI DSS was developed globally to ensure merchants and service providers adopt best practices to enhance their payment account security. For more information about the PCI DSS visit www.pcisecuritystandards.org.

“It’s encouraging to once again be recognized for our efforts; we’re very committed to our secure solutions along with our application’s non-storing capabilities. It’s because of these valued features that we endeavor to maintain compliance within an industry where data security is paramount,” Peter Fahlman, President.

E-xact Transactions Ltd. is one of the largest Rails-powered financial services developers in the world. RPM handles over 30 million transactions each year from over 7000 users, worth $3 billion. With offices in Vancouver and Beijing E-xact is using Ruby on Rails to power payments everywhere. Watch for E-xact at the upcoming RailsConf in Portland, Oregon.

For more information on E-xact and its product offerings, visit www.e-xact.com.

Peter Fahlman, President

About E-xact Transactions Ltd. (http://e-xact.com)

E-xact is a fully PCI compliant provider of fast and secure online transaction solutions. Since 1998, we have been at the forefront of the emerging world of online exchange, with solid and secure transaction processing systems and superb customer service. E-xact specializes in real-time, secure movement of financial information through IP-based point of sale interfaces, providing quick, easy and affordable transaction solutions for merchants and corporate businesses.

The statements which are not historical facts contained in this release are forward–looking statements that involve risks and uncertainties. E-xact Transactions Ltd.’s actual results could differ materially from those expressed or implied by such forward-looking statement. Factors that could cause or contribute to such differences include but are not limited to competition, general economic conditions, currency fluctuations and other risks detailed in the Company’s filings with the Canadian securities regulatory authorities. The TSX Venture Exchange has not reviewed and does not accept responsibility for the adequacy or accuracy of this release.

Reports in the new year are fairly encouraging when it comes to PCI compliance. According to SC Magazine US, “The number of large corporations in adherence jumped from 12 percent in March 2006 to 77 percent by the end of last year, while medium-sized merchants improved by nearly 50 percent in the year beginning December 2006.”

That covers what are identified as Level 1 merchants, those generating 6 million or more Visa transactions annually. For Level 2, Visa confirms that 62% are compliant while that still leaves Level 3 merchants.

Level 3 merchants are traditional brick and mortar businesses but this also e-commerce/internet retailers.

The 2,596 so-called Level 3 e-commerce-only merchants, those submitting 20,000 to 1 million Visa transactions a year, had a 54% full validation rate as of Dec. 31, with another 20% having submitted an initial validation or were in remediation. [Digital Transactions]

Things are looking up in terms of being a credit card user and consumer who deals with merchants such as these. The responsibility is shifting more than ever over to the merchant as fines and levies are one thing, but they’re certainly not as hefty as security breaches which lead to potential loses in the millions. The cost of PCI compliance is certainly a justified expense for any business.

For more information about PCI compliance visit the PCI website and take the self-assessment. If you process transactions, whether it be online or through a brick and mortar business, feel free to contact us to find out about how E-xact can become your compliant payment gateway solution.

Back at work this morning after the holidays and for the first time in 2008, I picked up a copy of Digital Transactions while having my morning coffee. The issue was from November 2007 but featured “The 10 Most Pressing Issues in E-Payments”. Of particular interest on the list was 3. PCI And Data Security:

“The Payment Card Industry Data Security Standard (PCI DSS) has turned into the next Sarbanes-Oxley. What with a seemingly never-ending rash of card-data leaks, businesses are finding themselves under pressure as never before to shore up internal systems, stop collecting certain data from mag-stripe swipes, and keep themselves from becoming the next breach headline.” [Read more in the Digital Transactions archives].

It seems like 2007 was a breakthrough year in terms of the awareness of credit card data storage and fines however there is still an alarming number of companies who are not compliant. The year in review over at Search Security written by Mike Rothman quite frankly sums up 2007:

Looking ahead, it’s hard to envision 2008 being that different from 2007. We’ll see more data breaches, more disclosures and probably more legislation and regulation. Companies will continue to spend money to keep their auditors happy and stay one step ahead of the compliance reaper. But until we really see an organization raked over the coals because of a compliance violation, we’ll continue to deal more with the specter of compliance than the reality. [Search Security]

This quote is pretty harsh as it describes a more reactionary step toward compliance, rather than preventative. Companies can be confronted with as many scare-tactics as possible but PCI DSS is something that benefits your business and your consumers, and should be proactively considered.

The deadline for Tier 2 companies (those who process between 1 and 6 million transactions a year) was December 31, 2007. However, the PCI council does not impose fines - those come from credit card companies/payment brands like Visa (who has recently been named the “World’s Leading Credit Card” for the 10th year in a row [BusinessWire]).

For more information, tailored to merchants courtesy of Visa, visit their Cardholder Information Security Program website.

For more information about the Payment Card Industry Data Security Standard, read through the FAQ on the PCI DSS website.

This blog post is a part of the E-xact Transactions Ltd. PCI Blog Series.

On the cusp of the new year, I’d like to welcome folks back from the holiday rush. Reading the news this morning it seems as though everyone’s already feeling the weight of debt after maxing out their credit cards this season.

The consumer debt level in Canada has climbed from $197 billion to $340 billion in just 7 years, and it’s continuing to increase… [News1130]

Once I got past the news about how consumers are going to start the new year in the red, there was an abundance of “credit card fraud” titles listed in the headlines. From a man stealing his customers’ credit card data in Minnesota, to members of an Iowa football team pleading guilty to credit card fraud charges.

Consumers have more to worry about aside form purchasing one too many gifts for loved ones resulting in a beefy statement next month. PCI compliance standards don’t simply protect merchants from costly penalties and potential breaches, they also safeguard consumers as afterall, it’s their data.

Protecting data is everyone’s responsibility. From diligent consumers so merchants stepping up and becoming compliant with the PCI DSS. Once consumers place their information in merchants’ hands, the responsibility shifts and it’s up to merchants to handle and avoid storage of that sensitive data.

According to a report from Visa issued on Oct. 24, 65 percent of the nation’s largest retailers are compliant with the PCI (Payment Card Industry) Data Security Standard. That number is an increase of 81 percent from December 2006 and 63 percent since July. But the statistic is hardly a cause for celebration—it means 35 percent of large retailers were still out of step with the requirements a month after the Sept. 30 deadline. The challenges of achieving compliance have given birth to countless numbers of tools from vendors looking to address security and auditing concerns posed by the standard. [eWeek]

Audits are costly, as are breaches (especially if you’ve been following TJX’s story). The cost of becoming compliant pales in comparison to the consequences and potential weaknesses companies can face.

This new year, allow E-xact (who is fully PCI compliant) to demo our safe and secure processing tools. From Virtual Point of Sale, to Searching, Reports and various plugins. Not only do we have innovative do-not-store capabilities, we use the latest and sleekest technologies. Sign up for a free demo today, or contact us to find out how to start the new year in the right direction.

What merchant’s don’t know, can hurt them.

According to the Payment Card Security blog, “78% of merchants don’t know… and institutions don’t care about PCI DSS“.

In the last PCI Blog post we featured a video outlining a personal story about credit card data security and the consequences. With deadlines looming as we look ahead to 2008, credit card companies are prepared to make sure that merchants know just exactly what the dangers are.

But here’s the question, can companies make the deadline in time?

Nearly a year after TJX Companies suffered what is believed to be the largest identity theft to have hit a retailer, credit card companies are laying down the law for any merchant who transacts business with plastic. By New Year’s Eve, all businesses that handle between 1 million and 6 million credit card transactions a year (primarily mid-market companies) must comply with the Payment Card Industry’s new Data Security Standard (PCI DSS). [CIO]

It can be done, and if encouragement, videos and blog posts aren’t enough the truth is that Visa, Mastercard and other companies will begin imposing fines on companies that are not on the path to compliance. To speed up the process, here are a few things you can look for right away.

Top 5 Vulnerabilities Leading to Credit Card Data Breaches (from the Braintree Blog)

• 1. Storage of prohibited data
• 2. Poorly coded web facing applications resulting in SQL injection attacks
• 3. Vendor default settings and passwords (i.e. unsecure wireless networks)
• 4. Un-patched systems
• 5. Unnecessary services on servers

E-xact can help with at least two of these vulnerabilities.

1. Using E-xact as a payment gateway eliminates merchants’ needs to store any data on their systems. E-xact is a secure processor with which merchants can perform transactions and even do searches and reports with our Realtime Payment Manager, RPM all while not having a single bit of the transactional data stored on their systems.

2. E-xact is fully PCI Compliant, which means when using our web application, RPM, your information and more importantly your customers’ cardholder information is securely processed.

For more information, please visit our solutions page, and be sure to read the PCI DSS guidelines. Those 12 steps could save you a lot of headaches, and certainly a lot of money. For some perspective, TJX just settled with Visa for $40.9 million. The cost of compliance is a bargain in comparison.

PCI Basics:

• PCI DSS Self-Assessment Questionnaire
• PCI Data Security Standard v. 1.1

We’ve talked a lot about big businesses like Tier 1 providers, who do over 6 million transactions a year, but what about compliance for the little guys? For the mom n’ pop establishments out there?

While browsing a daily read of mine over at the Braintree Blog I came across the following, which was produced by the Retail Solutions Providers Association. The video below takes a look at this issue - it’s about 12 minutes long but definitely worth viewing.

Part One:

Part Two:

“Upwards of 60% of consumers won’t go back to a place that’s breached their credit card data”

Action items noted:
• Make sure your point of sale system has a firewall
• Make sure patches are up to date
• Install anti-virus software
• Change passwords often
• Turn off remote access when not needed
• Stay educated
• Contact your POS provider to see what exactly you are storing on your system
• “If you don’t need it - don’t store it!”

How does E-xact fit in?

In the video Jennifer Fischer, the representative from Visa, suggests one of the steps merchants should take toward PCI Compliance is to visit the Visa website and view their list of compliant providers. Sure enough you’ll spot E-xact listed in this directory.

The message of the video is clear, the liability is with the retailer and it’s up to the merchants to make sure they have the right equipment, software and systems in place to protect themselves from attacks. This starts with having the right tools but also with education about the importance of non-storage of data, something that we’ve made sure to include in our Realtime Payment application, RPM.

*The deadline for compliance of Tier 2 companies (those who process between 1 and 6 million transactions a year) is December 31, 2007.

To learn more, visit the PCI DSS website, or read E-xact’s other PCI Blog posts.

Since starting our PCI Blog, I’ve been able to discover some of the great ways that the industry is educating merchants and customers alike. There are many resource available out there and since our last entry focused on podcasts and webcasts, I’d like to identify some great blogs I’ve discovered.

Braintree Payment Solutions keep a blog that is updated frequently with fresh links, views and information about the payment card industry.

December 31 is the Next PCI Compliance Deadline: Now that the 327 Level 1 merchants appear to be getting closer to compliance, Visa is now setting their sites on Level 2 merchants that are defined as processing 1 to 6 million Visa transactions annually. There are currently 729 merchants in this category. As of August 31st, 38% were validated and 44% had submitted initial validation but were in remediation. [Braintree]

On the sidebar of E-xact’s homepage you can find out online poll, asking “Is Your Business PCI Compliant?”. So far it’s split three ways, with only 33% or those polled being fully compliant so far.

Braintree’s blog also has a helpful post about PCI Compliance Basics as here is still a long way to go for merchants who seek compliance.

Retail Solutions Online rounds up a few more facts.

…53 percent of enterprise-class companies do not meet the data security standards established by the PCI. The report also lists the top 10 reasons companies fail PCI data security audits. PCI security standards apply to all companies that store, process and transmit credit and debit card payment information. [Retail Solutions Onlline]

As a starting point, be sure to check out the official PCI compliance guide, as being aware of the requirements is the first step.

Another site, and good source for payment card news, is the Merchant Account Blog. I’ve been following it for a while now and it recently celebrated its 2nd anniversary. In a recent post they link back to a fellow local Vancouver company.

A few weeks ago Elastic Path published their Ecommerce Checkout Report which was a great breakdown of the online trends of the top 100 internet retailing websites.

One area that I found particularly interesting is that only about half of the top 100 online retailers require additional card verification (CVV2, CID, CVC, etc) information to be entered when a customer makes a purchase. [Merchant Account Blog]

What seem to be minute details could mean millions of dollars lost if security breached. The main concern of PCI (DSS) is the protection of cardholder data. With the recent deadline behind us, there is some confusion milling about regarding who should ultimately be responsible for this data.

…According to [the National Retail Federation], credit card companies typically require retailers to store credit card numbers anywhere from one year to 18 months to satisfy ‘card company retrieval requests. [InfoWorld]

The NRF is pushing for completely abolishing the storage of cardholder data by merchants. A very bold move, which steps beyond PCI and attempts to keep up with hackers and malicious information seekers. Should the responsibility now fall on the issuer, the merchant, or even the cardholder? Perhaps it’s a mix of all three.

A recent report by Forrester Research said that 81 percent of merchants retain credit card data, and that they typically keep too much of this data. Seventy-three percent store expiration dates, 71 percent store verification codes, and 57 percent, card-stripe data, the report said. [DR News Analysis]

The solution could vary from better systems for storage (or lack thereof) down to the point-of-sales being used. The main objective is to protect and secure cardholder data at all times.

For more information from E-xact about PCI DSS, keep an eye on our PCI Blog or visit our About Page for links and information.

E-xact Transactions Ltd. has been fully compliant with the industry since 2004.
[About - E-xact]

In the first two blog posts we have identified the Payment Card Industry Data Security Standard, who needs to comply, why, and how to get information. My search for PCI information has lead me to numerous news pages and blogs although recently I discovered several podcasts which all touch on the subject, feature industry experts or offer advice.

Many vendors are positioning their products as compliance offerings, but when should you focus on fine-tune your existing architecture and when is it time to buy? And when it is time, what should you keep in mind?

This Podcast will count down the top five questions that you should ask when preparing to make a compliance-related purchase. [SearhCIO]

The “Top 5 Questions to Ask When Shopping for Compliance Products” podcast asks:

• What areas of compliance does the product help to address and what successes have customers had with the product.
• Does the product scale?
• Can the product be secure?
• How does it integrate with other products and activities?
• How much work and time will it take to for organization to realize the benefits of the product?

Another podcast series is ‘Speaking of Security‘ mostly features computer security but has special episodes focusing on PCI.

Speaking of PCI. This podcast focuses on the Payment Card Industry Data Security Standard: what it is and how it’s driving companies to adopt lifecycle information-centric security strategies to comply with other regulations and to implement industry best practices in terms of Enterprise Data Protection. [RSAPodcast]

Gartner Voice - ‘a podcast for business and IT professionals’ - also offers up some helpful tips on compliance in an episode from April 2006.

The Payment Card Industry (PCI) Data Security Standard was created in 2001 yet the card-accepting industry still struggles to demonstrate compliance with it, let alone protect cardholder data in many cases. Learn what steps your organization can take to cope with the growing need for compliance.

And finally, I found this link via the Forbes website - Configuresoft’s Sound Advice podcast series titled, “PCI DSS State of the Union.”

In the first podcast of a three part series, Chris Farrow, director of Configuresoft’s Center for Policy and Compliance and Co-founder of the PCI Security Vendor Alliance, provides an overview of the current state of PCI DSS compliance in the enterprise: what’s working, what’s not and where the standard is heading. [Forbes][ConfiguresoftPodcast]

No matter the size of your company or the number of transactions processed, this standard will effect all merchants who accept credit or debit cards in any way shape or form. Feel free to share thoughts, links and ideas for the next installment of this PCI blog series in the comments section below, touching next on implementation.

For more information from E-xact about PCI DSS, keep an eye on our PCI Blog or visit our About Page for links and information.

E-xact Transactions Ltd. has been fully compliant with the industry since 2004.
[About - E-xact]

PCI Basics:

• PCI DSS Self-Assessment Questionnaire
• PCI Data Security Standard v. 1.1

Throughout the coming weeks we’ll be featuring articles and information regarding PCI compliance, in an effort to educate merchants and acquirers about this standard. You can subscribe to all of E-xact’s blog posts using the “PCI” category or keep an eye on our PCI Blog for links and information.

As the PCI deadline approaches, merchants are finding out just what it takes to become compliant and more importantly, how crucial it is to be a part of this movement.

Visa USA recently announced that 96 percent of the largest businesses[1] that accept Visa cards for payment have confirmed they are not storing sensitive account data. Storing prohibited account data including security codes and PINs violates Visa rules and increases a business’ risk by making it a target for hackers [RetailSolutionsOnline]

The other morning I sat in on a webcast sponsored by Information Week entitled: PCI Compliance for Data in Motion - How to protect payment card data transmitted via email and file transfer. There are so many aspects to PCI Compliance it’s difficult to hone in on what directly applies to your company. The first step is recognizing how important it is to be secure, and for a basic example I’ll share the results of an online interactive poll from the webcast.

According to results from participants on the call, 83 % had “No Idea”, 10% used “Spot Checks”and “Standard IT Reports” happen about 6.7% of the time. The call leader, Dan Maier, the Sr. Director of Product Marketing with Tumbleweed Communications was not surprised by these results as many companies are unaware of the sensitive content that might be moving through their email stream.

You can download Tumbleweed’s Whitepaper on PCI compliance for more information about the presenters of the webcast.

During the question and answer session a caller asked how their start up company can figure out the process for accepting credit cards, and what is the first thing they should be doing.

Mr. Maier suggested right away that they go and find an experienced payment gateway company. Payment gateways such as E-xact can help setup particular systems for managing credit card processing. Start ups (along with established businesses) also need to learn how to manage and store credit card information securely - better yet, with E-xact, we can assist with compliance in this manner i.e. using RPM ensures the non-storage of data on company systems.

For more information, there are actually dozens of PCI blogs out there and we’d like nothing more than to pass on that information. Links and tips we find about PCI in the news are shared and posted on our “Newsroom” page under our “PCI” deli.cio.us links in the sidebar. Should you come across a PCI blog or news article feel free to send it our way on deli.cio.us, if you have an account. Simply tag the story “for:ExactTransactions“.

Our most recently bookmarked link is an entry entitled ‘How to Become PCI Compliant‘. It features basic PCI facts, outlining the different levels of compliance for various tiers of businesses, merchants and providers.

E-xact customers and those inquiring about using E-xact as a secure payment gateway should know that we have been compliant with the industry for several years.

“We’ve been doing security audits since 2003 and this year’s audit was the most detailed yet. It’s great to see the industry recognize our efforts in treating data security as a critical priority within our organization,” Peter Fahlman, President. [News Release, May 2007]

Processing your payments through E-xact ensures that data is not being stored on our systems, and your transaction information is safe and secure. You can view our listing on Visa’s list of compliant service providers or read Mastercard’s PCI Manual for more information.

Archive audio for the webcast mentioned in this blog post is available here

You’ve probably heard about it by now if you’re in business, operate with e-commerce or are a part of any merchant organization. PCI Compliance will be cracking down September 31, 2007 - but just what does that mean to you?

On the 30th of September this year, a new compliance directive will come into force from the Payment Card Industry (PCI) that will affect each and every business that accepts credit cards around the globe… …Among the directives is a requirement for merchants to secure their networks, both wired and wireless, and to audit their compliance at least once every three months. [Bangkok Post]

As scary as it sounds, here’s the basic concept: Being PCI compliant means that your customer information is safely and securely passing through your business.

Limiting your business’ liability while ensuring secure passage of non-stored data is paramount. Key industry players have gathered to compile and enforce standards in hope that everyone will comply.

The PCI Security Standards Council’s mission is to enhance payment account data security by fostering broad adoption of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. [PCISecurityStandards]

Many countries and states have already made these rules and practices mandatory, which is basically for our own good.

Two states, Texas and Minnesota, have actually passed laws that go far beyond PCI and state that if a TJ Maxx style breach occurs today, the merchant will have to be financially responsible for replacing all the compromised cards. [Bangkok Post]

But how does one become PCI compliant? SearchCIO has a detailed list of “PCI Myths” where they aim to set the record straight about compliance including: PCI is hard, PCI will make us secure, Encryption is scary, “I don’t take enough credit cards”, and Product “x” will make us compliant.

Whichever approach is taken, businesses are running out of time.

Visa U.S.A. Inc. this month warned large merchants that they will face fines and higher credit card transaction fees unless they fully comply with the Payment Card Industry (PCI) data security standard by Oct. 1. [ComputerWorld]

Throughout the coming weeks we’ll be featuring articles and information regarding PCI compliance, in an effort to educate merchants and acquirers about this standard.

Keep an eye on E-xact’s PCI Blog for updates.

E-xact Transactions Ltd. has been fully compliant with the industry since 2004.
[About - E-xact]