• home
• about us
  • About Shoosmiths
  • Awards we've won
  • Corporate responsibility
  • Diversity
  • Facts & Figures
  • Legal and regulatory
  • Office Information
  • Our culture
  • Way we work with clients
• services
  • Services for business
  • Services for you
  • Services A to Z
  • Services for your industry
• news & events
  • Press releases
  • Legal updates
  • Events
  • RSS feeds / twitter
  • Media contact information
• careers
  • Professional recruitment
  • Graduate recruitment
• contact us
  • People search
  • Office information
  • Contact us

Home | News & events | Legal updates | Store, process and transmit cardholder data? You’d better read this

Store, process and transmit cardholder data? You’d better read this

03 December 2009

As more organisations choose to process card payments, compliance with the Payment Card Industry Data Security Standard (PCI DSS) is becoming increasingly relevant.

What are the PCI DSS requirements?

They are a set of technical and operational requirements set by the PCI to protect cardholder data.

They apply to all organisations storing, processing or transmitting cardholder data, and aim to identify vulnerabilities which may be open to abuse by fraudsters.

Organisations are responsible for ensuring - through commercial practice and carefully drafted contracts - that the payment card information that they collect is processed in accordance with the requirements.

What do the PCI DSS requirements aim to achieve?

The PCI DSS requirements have six goals:

• to build and maintain a secure network
• to protect cardholder data
• to maintain a vulnerability management program
• to implement strong access control measures
• to regularly monitor and test networks
• to maintain an information security policy

It is vital that all businesses to whom the PCI DSS applies take steps to ensure that these goals are implemented and maintained.

What does this mean in practice?

The PCI DSS sets out 12 audit requirements based on the above goals:

• install and maintain a firewall system
• do not use vendor-supplied defaults for system passwords and other security parameters
• protect stored cardholder data
• encrypt the transmission of cardholder data across open, public networks
• use and regularly update anti-virus software
• develop and maintain secure systems and applications
• restrict access to cardholder data by business need-to-know
• assign a unique ID to each person with computer access
• restrict physical access to cardholder data
• track and monitor all access to network resources and cardholder data
• regularly test security systems and processes
• maintain a policy that addresses information security for employees and contractors

Who manages and enforces the PCI DSS requirements?

The Payment Card Industry Security Standards Council (PCI SSC) is responsible for managing the security standards, while compliance with them is enforced by the founding members of the PCI SSC:  American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc (payment brands).

What are the consequences of non-compliance with the requirements?

Compliance with PCI DSS is not only a requirement by the individual payment brands, but it is also a sound business practice. It protects clients against identity theft and credit card fraud; it secures an organisation’s business reputation, and removes the risk of fines and fees being issued by the payment brands for non-compliance.

What are the sanctions for non-compliance?

• increased processing fees
• a bar on the processing of credit card transactions
• fines of up to £250,000 for each instance of non-compliance

What measures can your organisation take to achieve compliance?

Organisations are free to introduce bespoke measures in order to achieve compliance, and which are tailored to their specific practices and procedures. However, the following non-exhaustive list of common issues should always be considered by organisations in an attempt to achieve compliance:

• Any individuals who have access to financial information must be allocated a unique code so that access can be monitored and audited.
• Access to financial information must be allocated on a business need only basis.
• All individuals who will have access to information (both temporary staff and full time staff) must be credit screened in order to identify vulnerabilities. This screening should be carried out at regular intervals to ensure that it is kept up to date.
• Passwords used must not be the default passwords, must be changed regularly, must not be shared and must be sufficiently complex to avoid them being guessed or deciphered.
• Consider whether it would be possible to blank out most of the number being entered onto the system so that only the last three digits are displayed? This would render the risks arising out of any interception less onerous as it would be more difficult to decipher it.
• Ideally, it should not be possible to print financial information onto paper form. However, if it is necessary, steps should be taken to ensure that it is disposed of securely and confidentially.
• Responsibility for monitoring compliance should be allocated.
• Can any other steps be taken to ensure the secure storage of information held electronically (ie firewall, network intrusion devices and audit trails)?
• Consider who will be responsible for reviewing and monitoring compliance with the procedures that are in place and who will have responsibility for evaluating the effectiveness of those procedures.
• How often will current procedures be evaluated and what procedure will be followed in order to rectify problems or inadequacies that are identified as part of the evaluation process?
• Consider what measures can be put in place in order to mitigate the damage caused in the event of a breach occurring.

Data protection

PCI DSS compliance must be considered alongside the Data Protection Act 1998 (Act).

Financial information will often constitute personal data and will often be accompanied by sensitive personal data. It is vital therefore that it is also processed in accordance with the Act.

Principle 7 of the Act requires Data Controllers to ensure that appropriate technical and organisational measures are put in place in order to protect the personal data against unlawful access or disclosure.

If a breach of principle 7 were uncovered as a result of the loss, theft or other disclosure of this information, the potential implications for organisations are far reaching.

Not only would it attract negative media attention, but the Information Commissioner could issue a fine and/or Enforcement Notice (a public document) and carry out an investigation into the practices and procedures being followed by that organisation.

Also, the ICO is shortly to get the power to issue ‘substantial fines’ for breaches of the Act, and a breach of this type could fall within the category of a reckless breach of the Act (where it results in loss) and leave a business open to fines and claims for compensation from those whose information has been lost.

© Shoosmiths. This page is for general information: it is not legal advice. Please read our full terms and conditions for details of the disclaimers and exclusions which apply.

---

Are any of the issues in this article giving you a headache? If so, we want to know

Name *
Email *
Telephone
Comments*
The information you provide here will be used solely for the purposes of responding to your query for more information see our privacy policy.

 

Search the site

Enter the keywords below to search:

Get in touch

Aisling Duffy

Solicitor
T: 03700 86 5089
I: +44 (0)115 906 5089
E: aisling.duffy@shoosmiths.co.uk