Special Report Payment and Collections
Here are answers to some of direct marketers' commonly asked questions about PCI, and why you should care about these new regulations.
How do I know if PCI applies to me?
PCI compliance is required of all organizations that store, process or transmit cardholder data, including merchants such as brick-and-mortar retailers, mail/telephone order direct marketers, and e-commerce retailers. PCI also applies to service providers—such as payment processors, data aggregators, collection agencies and hosters—that in the course of delivering a service to a merchant have access to cardholder data.
What is required for PCI compliance?
PCI compliance is based on 12 security requirements, often referred to as the "Digital Dozen." They are:
1. Install and maintain a firewall configuration to protect data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored data.
4. Encrypt transmission of cardholder data and sensitive information across public networks.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.
On the surface, these requirements sound innocuous. However, these 12 requirements include more than 200 subrequirements.
Am I already PCI compliant? How difficult is it to comply with PCI?
Many organizations assume they're compliant because they've gone through a security assessment for Sarbanes-Oxley, HIPAA or to fulfill a contractual requirement. This is an erroneous assumption. Compared to other security standards and regulations, PCI is specific as to what is required for compliance and has some requirements unique to payments. For example, a general security assessment is unlikely to cover whether card validation codes (CVV2) are stored. However, CVV2 data storage is one of the most fundamental violations of PCI requirements and will generate significant liability.