This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."

Download it now to read this article plus other related content.

Similar to regulatory requirements such as SOX and HIPAA but not legally binding, the standard has gotten the attention of C-level executives and spurred infosecurity spending. Yet unlike some legislative attempts to mandate cybersecurity, PCI wins praise from security experts for providing specific requirements on encrypting data, implementing access controls and configuring firewalls.

"PCI tells you exactly what you have to do," says Alan Paller, director of research at the SANS Institute.

As of June 30, 2005, merchants at levels 1, 2 and 3 (based on the number of credit card transactions processed annually) were required by credit card associations to implement the procedures documented in the PCI requirements, or risk being slapped with thousands of dollars in fines--or worse, losing the ability to process customers' credit card transactions.

That's a pain point organizations of all sizes can relate to. "Everyone who processes credit cards lives or dies on that income--churches, schools, government, retailers," says Paller.

PCI requires companies that store, process and transmit credit card holders' information to devise information security policies, harden and routinely test network security hardware and software, and keep security products updated with vendor-distributed patches. PCI also mandates quarterly network scans and annual network audits, depending on a company's level.

To date, of the level 1 merchants tracked

    Requires Free Membership to View

by Visa (which generate about half of all Visa transactions), "over 90 percent have gone through [a PCI] audit and are now engaged in remediation issues found in the audit," says Visa U.S.A.'s Jennifer Fischer, a senior information security analyst at the Foster City, Calif.-based credit card giant. Level 1 includes any organization processing more than 6 million Visa transactions per year. She acknowledges that "there is a lot of work that needs to be done to comply [with PCI]"; many businesses are still in the process of coming into compliance.

Christine Elliott, a spokeswoman for American Express, says the company is in close talks with its merchants about PCI compliance. "They understand the importance of data security and are working aggressively to protect it," she says. "It's their own brand and the cachet that goes with it [that's at stake should a breach occur]."

Archrivals in any other context, credit card companies are aligned behind PCI to the relief of IT security and privacy personnel who must guard credit card data. PCI, in effect, takes precedence over earlier efforts like the Card-holder Information Security Program, established by Visa in 2001, and MasterCard's Site Data Protection program. In 2004, Visa and MasterCard combined their programs and created the PCI guidelines; American Express, Diners Club and Discover Card endorsements soon followed.

This was first published in May 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: