PCI DSS Compliance is an industry-mandated security standard
that applies to all businesses that handle, process or
store credit cards. There are 12 core requirements and
roughly 250 controls, but as an oversimplification it
boils down to three things:
1) all merchants, regardless if credit card data is stored,
must achieve and maintain compliance at all times (all
deadlines have passed);
2) merchants cannot store certain credit card information
including CVV2, CVC2 and CID codes (three or four-digit
numbers), track data from the magnetic strip or PIN data;
3) if permitted credit card information such as name,
credit card number and expiration date is stored, certain
security standards are required. A number of recent high
profile breaches have been raising awareness and risks
associated with PCI Compliance.
The motivation to become
compliant
The major credit card companies have provided both carrots
and sticks in order to compel merchants to become and
maintain compliance. The incentives include 'safe harbor'
from certain penalties and fines if a merchant is compliant
at the time of breach.
Without compliance, if a merchant is breached and has
credit card information stolen, depending on the size
of the breach, PCI related fines can be as high as $500,000
per incident. In severe cases, merchants can even be given
the 'Death Penalty,' preventing them from accepting credit
cards. In all, depending on the number of cards stolen,
merchants are estimated to spend between $90 and $302
per record (see graph below).
The Payment Card Industry Data
Security Standard (PCI DSS)
What is PCI DSS?
It's a comprehensive security standard that establishes
common processes and precautions for handling, processing,
storing and transmitting credit card data.
Who created it?
While Visa and MasterCard originally developed it, as
of September of 2006 American Express, Discover, JCB,
MasterCard and Visa jointly formed the PCI Security Standards
Council.
Why was it created?
It was created in response to a spike in data security
breaches over the last few years. A large number of both
small and large businesses have been breached including
TJX, Bank of America, Citigroup, BJ's Wholesale Club,
Hotels.com, LexisNexis, Polo Ralph Lauren and Wachovia.
Who's at risk?
Any business that processes, transmits, or stores credit
card information. While the publicity of security breaches
has recently been focused on larger companies, Visa reports
that the majority of breaches are occurring at small businesses.
How can MphasiS help?
Mphasis' parent, EDS, is a major payment cards service
provider processing millions of cards for some of the
leading banks in the world, through its own Cards processing
platform - Agile Card Framework (ACF). Working with EDS
on ACF and other major Cards processing products, Mphasis
has developed an unparalleled understanding of the payment
card industry.
Leveraging on this payment cards experience, EDS and MphasiS
offer a comprehensive suite of services and solutions
to help the organizations achieve PCI compliance. Our
unique 'MphasiS / EDS’ Application Remediation Platform' solution for application remediation,
along with our solutions for database and application
monitoring, network management, access management and
Event/Incident Management addresses all the requirements
for PCI-DSS compliance. With focus on cost control and
process improvement, the service includes pre-compliance
assessment, gap analysis and solution implementation,
all delivered with our proven onsite-offshore delivery
model. Additionally, we support compliant consumer card
services and also help third party vendors like embosser,
PIN generators, statement printers etc become PCI-DSS
compliant. Our services and solutions can be consumed
by a variety of industries - Banking, Insurance, Retail,
Transportation, Travel & Tourism, etc.
MphasiS / EDS’ Application Remediation Platform
is an EDS/Mphasis proprietary solution developed to address
the PCI DSS requirements of protecting data, developing
and maintaining secure systems and applications and restricting
access to data by business need-to-know. MphasiS / EDS’ Application Remediation Platform Tokenization
Service is a flexible building block and it is a well-defined,
self-contained and stateless service. It is a data-centric
persistence mechanism used to store sensitive information
in the isolated database.
The MphasiS / EDS’ Application Remediation Platform generation process has the capability to
process multiple cards in a single request and generate
a unique MphasiS / EDS’ Application Remediation Platform for each card number within a customer
database and store each card number, associated data and
MphasiS / EDS’ Application Remediation Platform in a secure database. This solution also provides
an audit trail of all user access of credit card data
in PCI compliant zone as per PCI requirements. |
