Operators whose companies are "PCI Level One" merchants know it. This means you process over 6 million credit card transactions per year through your merchant bank. Operators who are uncertain not only need to know their level, but be aware of PCI's incredibly broad impact. If your business is not compliant, your bank will be penalized, and if your bank is penalized, guess who gets to make it up to them? These penalties are so high, that it could eventually lead to the inability to accept credit cards.
Up until recently (late 2007), PCI and their "enforcer" banks really only focused on level one merchants. They then moved down to level two merchants, extending stiff penalties for non-compliance, and continue to move down the chain today. With major data breaches in companies like TJ Maxx, who reached a $40.9 million settlement with Visa over the theft of credit card information, CIOs can no longer afford to simply sign off on PCI questionnaires to ease bank compliance pressure. They need to know what they are getting into.
A bit of history:
It is safe to say that PCI DSS is right up there with Sarbanes Oxley (SOX) now. What were once five separate security standards (one for each major card brand) became a combined standard that includes the following:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
More than meets the eye
Sounds simple enough, right? You may be surprised at the depth in which each requirement is broken down because unfortunately, there isn't just one question per requirement. Not only are there four PCI Merchant Levels, but there are five Self Assessment Questionnaires (SAQ), depending on how you conduct business. On SAQ D, which began in 2004 as 73 fairly innocuous survey questions, became 234 very detailed requirements in September 2006; all of which require documented proof of compliance. When my senior leadership team at Hard Rock International and I got together to knock out the new 234-question survey, we had more questions than answers. I had to bring in a Qualified Security Assessor (QSA) to interpret, interview the staff and provide an assessment report on internal compliance.
It doesn't stop there. Your merchant bank will require a completed and signed survey from you that says "YES" on each of the questions. Those that are not in compliance will have to have a remediation plan attached with specific dates for compliance.
As an example of the evolution of PCI SAQ D, you could be 100% compliant under the 1.0 (73 question) SAQ and you could instantly become 61% compliant under the 1.1 (234 question) SAQ. Whoa, what the heck happened; all of a sudden are you primed for a breach? Maybe not. Much of the 39% could simply be policy and procedure documentation or proof that you are doing what you say you were doing. Like SOX, a lot of the compliance requirements are simply audit and policy measures. It doesn't mean they are less important and you have to prove it if/when you get audited.
It's not just an IT thing
If you are not ready for PCI DSS, then get informed because there are many myths about PCI compliance that you need to be aware of. There is a good summary on the PCI Website, "Ten Common Myths of PCI DSS." It's worth a look (http://www.pcisecuritystandards.org).
And don't forget to review PCI DSS 1.2 which came out earlier this month.
Joe Tenczar is the top technology executive for Hard Rock International, which owns/ franchises the following globally: Hard Rock Cafes, Hard Rock Hotels, Hard Rock Live, Hard Rock Casinos, and Hard Rock Park. He specializes in not only the overall tactical technology necessities, but a strategic focus on new technology's place in the industry.