Credit card companies issue to consumers, who shop on credit and pay bills later. The companies make their money two ways: one, by taking commission from merchants and two, by charging interest from the consumers who use their services. The process could be no simpler.
Unfortunately, the credit card companies are also liable for any loss resulting through fraud. Globally, due to the increase of fraud through stolen credit card data, companies now don’t want to cover financial loss unless the merchants and credit card service providers have made standard security arrangements. And that’s where PCI SSC comes in.
The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.
Founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc., the PCI Security Standards Council has been developed to enhance payment account data security by driving education and awareness of the PCI Security Standards.
In addition to creating the standards and spreading the awareness, the council manages training and certification through a list of approved PCI vendors.
How it Works
There are two kinds of entities that require enforcement of PCI standards: the ‘merchants’ and the ‘service providers’. The merchants are defined as the ones who either have a physical shop with a POS (point of sale) device to accept credit cards, or alternately, have an online shop.
Each of them are issued a merchant ID. Think of the service providers like gateways or credit card processing companies that handle all the actual processing, storage, transmission and switching of transaction and cardholder data. They also help smaller merchants handle their transactions.
The PCI SSC along with the credit card companies, have created four levels of standards based on the risk involved with the merchants and service providers.
The merchants and service providers have to make sure that the security they have running on their systems is based on their respective level standard, which is categorized by the number card transactions they handle on an annual basis.
An example of Levels for Visa Card merchants is:
Level 1: More than 6 million transactions per year
Level 2: Between 1 and 6 million
Level 3:Between 20 thousand and 1 million
Level 4: Less than 20 thousand a year
Any non-compliant merchant or service provider is fined, and might be held liable for any financial loss in case of a reported credit card fraud.
Enter the QSA
A QSA or Qualified Security Assessor is the person who guides and audits merchants and service providers in order to achieve a PCI compliance status. The QSA works with merchants to conduct a PCI assessment provide support and guidance during the compliance process, defines the PCI scope of audit, selects a good sample, evaluates compensating controls and produces the final report.
All merchants, whether small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data. PCI SSC is responsible for managing the security standards while each individual payment brand is responsible for managing and enforcing compliance to these standards.
But to really appreciate the kind of protection PCI SSC provides to you, it’s important to take a step back and understand how credit card fraud takes place to begin with. We’re not talking about the individual theft here. For an individual card to be stolen and then used online or for a transaction, is a risky proposition for the thief. If you know your card is stolen, you’ll take immediate preventive action.
Instead what happens is that a lot of cards are stolen. So one party steals the card, and then trades it online. There are actually websites where these card numbers are auctioned off in bulk. For obvious reasons, these websites keep on changing their location and let their “clientele” know the next domain via email.
People will eventually sell credit card data in batches at a time where the going rates are generally between 1-2 US dollars each, but it also dependent on quality of quality of Cardholder Data.
For instance, data stolen from high profile restaurants in London or New York where rich clients dine may sell for up to US$100 each due to the fact that these people don’t bother checking their credit card statements. The stolen numbers are traded online and then used for mail orders and online shopping.
Identifying the Vulnerabilities
It is important to understand that credit card data is usually stolen at 2 locations: one could be the physical merchant and the second could be the online store.
While there are obviously only so many recommendations you can give to the physical merchant to practice best practices for processing credit cards, compliance with PCI standards ensures that there is no vulnerabilities in the online system. The job of the QSA is to assess how “secure” the online merchant is.
Unlike Verisign or Truste that secure the actual transmission, the QSA audits the entire online business process to assess potential weaknesses in the system and recommends how to strengthen them.
Encryption algorithms that run with transmissions are so strong that it is useless to hack any transmission so any breach will probably occur before you actually submit the data. Once a merchant is PCI compliant, he has to perform quarterly vulnerability scans on his internal and external networks. So if someone is already compliant and hasn’t run the necessary scans within a certain duration of time, can be fined a hefty fee.
It is important to remember that this exercise makes more sense for online businesses that have high volume traffic. For low volume websites, outsourcing the payment gateway makes more sense.
Well alright. There are some exceptions.
Let’s say you are a level 4 merchant and you’re running your business and make an SAQ (Self Assessment Questionnaire). It’s business as usual until you have a breach. The bank will elevate you to L1, which will cost a lot more to secure. PCI auditors charge in the range of $2000 a day.
Add to that cost, the cost of IP Scanning. A PCI Approved Scanning Vendor charges approximately $500 to scan one IP address. So once there is a breach, and you didn’t have a PCI align your processes with the standards, you are in for a lot of trouble. The way to avoid this entire massive headache is to outsource the payment option for your business altogether.
While you can just as easily select an online payment gateway to process your transactions so you don’t end up dealing with any cardholder data, the problem with this option is the commission per transaction. And because the vendor will charge you a high commission, this option becomes non-profitable for high profile merchants.
Timelines and Best Practices
In the US, VISA enforced the deadlines:
L1 Merchants – 30 September 2007
L2 Merchants – 31 December 2007
Failure to achieve compliance results in up to $25,000 fine every month and may also charge higher commission rates for merchants. Please note that VISA does not deal with any merchant directly. Instead it deals with acquirers (ie: banks handling merchant payments) and it is only the job of acquirers to enforce these standards on its merchants. The fines are charged by VISA to merchants through acquirers.
The deadlines for achieving compliance in Europe are a few months after US and Asia is even later. The Europeans, unlike Americans are kind of ahead in credit card protection at the point-of-sale merchants due to Chip-Pin architecture.
Secondly, credit card fraud in Asia is much lesser for cards data stolen inside the same countries. But in any case, the standards will be enforced.