• Overview
• Benefits
• Pricing
• Free Scan
• PCI Portal FAQ
• PCI DSS Explained

• PCI Requirements
• PCI Compliance Levels
• PCI Council
• PCI Security Vendor Alliance
• PCI DSS FAQs

The Cost of Insecurity

More visible than ever, the theft of consumer data has surfaced as a major issue today for merchants and customers in both the online and offline marketplace. The Federal Trade Commission has estimated that more than 10 million Americans are victims of such crimes annually, costing individuals $5 billion and businesses $48 billion.

Acquiring unsecured financial information is the primary objective of hackers and organized crime in order to fuel a thriving black market for stolen credit card numbers, bank accounts, passwords, personal identification numbers and other data. These attacks affect more than just the online retailers. Breaches occur on point-of-sale, back office, and wireless technology systems.

Stolen personal data causes thousands of wasted hours of investigation and serious costs for those affected, from merchants to the victims of stolen identities. The cascade of problems for victims of these crimes can last for years as they try to recover their financial lives.

To combat data theft, the Payment Card Industry (PCI) providers such as MasterCard, Visa, American Express and Discover have created a Data Security Standard that requires merchants, web-based retailers, and service providers that accept or process credit cards to comply with rigorous security directives. According to the standard, all members, merchants, and service providers that store or process credit cards must meet specific security requirements, which necessitate building a secure network and maintaining a vulnerability management program. To demonstrate compliance, merchants and service providers must provide security assessments and perform quarterly network scans to locate and fix vulnerabilities and reduce the risk of intrusion. Those organizations found not to be in compliance can face hefty penalties if data breaches are discovered.

PCI Data Security Structure

The Payment Card Industry differentiates between mechants and the credit card processor. The merchant is the business, either a physical store or internet website (or both), that accepts credit card payments in exchange for providing a good or service. The merchant is in the best position to protect sensitive personal information. The merchant is the first line of defense in terms of safeguarding consumer data.

Next is the credit card processor, called the "acquiring bank" or "acquirer." Any merchant that processes credit card transactions must have a relationship with an acquiring bank that does the actual work of processing the payment. When a merchant runs a credit card transaction, they communicate with the acquirer who confirms that there is sufficient funds in his account and then authorizes the payment. The credit card associations have assigned the task of enforcing the implementation of the PCI requirements and monitoring merchant compliance to the acquiring banks. In fact, VISA has recently announced the Visa PCI Compliance Acceleration Program (PCI CAP) that combines financial incentives and fines to encourage adoption of the PCI standard.

Copyright © 2008, Rapid7, LLC. All Rights Reserved.

• Home
• |
• Overview
• |
• Benefits
• |
• Pricing
• |
• Free Scan
• |
• PCI Portal FAQ
• |
• PCI DSS Explained
• |
• Contact