Compliance with new guidelines will become necessary for many global businesses.
The new guidelines come from the Payment Card Industry (PCI) and refer to the Data Security Standard (DSS), which is a global standard “set up to help businesses process payments securely and reduce card fraud”, according to the UK Card Association.
The system will work through “tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle”, with PCI DSS said by the UK Card Association to intend to “protect sensitive cardholder data”, with 12 requirements to be met across six categories in order to fulfil the standard.
The Recycler has recently taken steps to become PCI DSS compliant, and major card companies including MasterCard, Visa and American Express have not only signed up to the system, but will require all companies taking card payments globally either to be compliant or work towards compliance.
This will affect card transactions in future as companies taking credit cards will need to be complaint, and those paying with credit cards will need to be aware that compliant companies will no longer be able to accept electronically-submitted correspondence containing credit card details, due to the security requirements of the regulations. Payment gateway providers will also need to be compliant, and businesses will be unable to become compliant unless their provider is as well.
The six categories of requirements in the standard are: build and maintain a secure network; protect cardholder data; maintain a vulnerability management programme; implement strong access control measures; regularly monitor and test networks; and maintain an information security policy.
The two steps included in maintaining a secure network are “install and maintain a firewall configuration to protect data” and “do not use vendor-supplied defaults for system passwords and other security parameters”, whilst the two under protecting cardholder data are “protect stored data (use encryption)” and “encrypt transmission of cardholder data and sensitive information across public networks”.
Under maintaining a vulnerability management programme are “use and regularly update anti-virus software” and “develop and maintain secure systems and applications”, whilst under implementing strong access control measures are “restrict access to data by business need-to-know”, “assign a unique ID to each person with computer access” and “restrict physical access to cardholder data”.
Finally, under regularly monitoring and testing networks are “track and monitor all access to network resources and cardholder data” and “regularly test security systems and processes”, and under maintaining an information security policy is “maintain a policy that addresses information security”.