Fall 2006 issue of Horizons

Credit Card Security INDUSTRY

HOSPITALITY

Jim Mather, CPA Cathy Behnen, CPA, CIA

Protect Cardholder Data iii. Protect stored data iv. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program v. Use and regularly update anti-virus software vi.Develop and maintain secure systems and applications Implement Strong Access Control Measures vii. Restrict access to data by business need-to-know viii.Assign a unique ID to each person with computer access ix. Restrict physical access to cardholder data Regularly Monitor and Test Networks x. Track and monitor all access to network resources and cardholder data xi. Regularly test security systems and processes If a company knows or suspects a security breach, it should take immediate action to investigate and limit exposure. Fines up to $100,000 per incident can be imposed on those com- panies that cannot show compliance. Fines up to $500,000 per incident can be imposed on a company that cannot show compliance or is not in compliance at the time of the incident. MasterCard and Visa are expected to issue updates to the PCI data security standard in the next couple of months. Most of the existing PCI requirements focus on security at the network level, but many of the latest threats are on the appli- cation side. Therefore, updates to the standard are expected to protect against Web application threats. Maintain an Information Security Policy xii. Maintain a policy that addresses information security

In recent years, the credit card industry has been rocked by large losses of credit card data and identity theft. These loss- es have provoked increased scrutiny from the public and the federal government for all entities involved in credit card transactions. As a result of the increased attention paid to credit card security breaches, most businesses are now familiar with the penalties associated with the loss of con- sumer data, which include fines from credit card associa- tions, bad publicity, loss of business, and attention from reg- ulatory agencies. Complying with the credit card association standards is no longer simply an inconvenience; it is required to quiet the growing call for increased regulation of credit card data security. Visa and MasterCard decided to jointly develop one set of requirements. The resulting Payment Card Industry Data Security Standard was issued in January 2005. Companies, however, have been slow to implement these standards and may be completely unaware of them. To increase compli- ance, banks are now starting to require companies to explic- itly state they are in compliance with the PCI standards dur- ing the renewal of banking agreements. The lack of compli- ance could result in higher negotiated rates or the inability to resign with that bank. This standard currently lists 12 broad controls that retailers, online merchants, data processors and other businesses must implement to protect cardholder data. These controls are summarized as follows: Build and Maintain a Secure Network i. Install and maintain a firewall configuration to protect data ii.Do not use vendor-supplied defaults for system pass- words and other security parameters Payment Card Industry Data Security Standard

41 • summer 2006 issue

Made with FlippingBook flipbook maker