Credit Card Info 1400



  • For those who deal with credit card transactions, how are you handling the credit card info. in your database? Is masking the credit card number sufficient or will encryption needed?
    Also, the DBA’s access will be closely scrutinize but what about other folks?
    I am new to the credit card thing, so if anyone can share with me your thoughts and experiences, I would greatly appreciate it.
    Thanks,
    SG



  • SOX does not specifically address security requirements over credit card information. However, security standards and compliance requirements are addressed in the Payment Card Industry (PCI) Data Security Standard.
    If your company processes credit card transactions, maintains credit card information, and processes an established volume of credit card transactionns, you can determine compliance requirements, by reviewing the materials and resources online.
    A PCI Self-Assessment may be found online at:
    http://www.usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Self_Assessment_Questionnaire.doc
    The Payment Card Industry Data Security Standard (PCI) is a standard based on the Visa Cardholder Information Security program (CISP), MasterCard Site Data Protection program (SDP), American Express Security Operating Policy (DSOP), and Discover Information Security and Compliance (DISC).
    Merchants and service providers who store, transmit, or process credit card transactions must comply with this standard. Failure to comply can result in fines, restrictions being imposed by the card brand, or the merchant or service provider can be prohibited from accepting the card.
    The PCI Data Security Standard is built upon, the ‘Digital Dozen’, an easy to remember list of 12 basic security requirements with which all credit card payment system constituents need to comply. The security standard establishes:
    Three Defined program groups, based on their roles in the payment system
    More detailed requirements and sub-requirements for each program group, always tying back to the CISP ‘Digital Dozen’
    Defined and consistent testing procedures for independent validation of compliance
    A list of some 30 independent security assessors able to perform a CISP review
    A defined process for ensuring the on-going applicability of requirements and testing procedures
    A robust education and awareness effort
    Stated willingness to work towards acceptance of other trust marks and vice versa
    Penalties for failure to comply
    Digital Dozen
    Build and Maintain a Secure Network
    Requirement 1: Install and maintain a firewall configuration to protect data
    Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
    Protect Cardholder Data
    Requirement 3: Protect stored data
    Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks
    Maintain a Vulnerability Management Program
    Requirement 5: Use and regularly update anti-virus software
    Requirement 6: Develop and maintain secure systems and applications.
    Implement Strong Access Control Measures
    Requirement 7: Restrict access to data by business need-to-know
    Requirement 8: Assign a unique ID to each person with computer access
    Requirement 9: Restrict physical access to cardholder data
    Regularly Monitor and Test Networks
    Requirement 10: Track and monitor all access to network resources and cardholder data
    Requirement 11: Regularly test security systems and processes.
    Maintain an Information Security Policy
    Requirement 12: Maintain a policy that addresses information security
    A good resource of information may be found at:
    http://www.visa-asia.com/ap/sea/merchants/riskmgmt/ais_downloads.shtml
    Hope this helps,
    Milan



  • PCI Key Points:
    Background. Whenever someone clicks a Pay button on your company’s website, the payment info is processed in-house or by a 3rd-party credit card processing service provider, which then sends info to a credit card association member. The member then interfaces with the credit card company to eventually get payment into your company’s bank accounts.
    What is PCI Compliance? The PCI Standard is not a law. It’s a regulation created by payment card companies (MasterCard and Visa Card being the leaders) and enforceable under contractual obligations with these credit card companies.
    Members and merchants agree to abide by these standards under the terms of their contracts with payment card companies. The Payment Card Industry (PCI) Standard outlines the security requirements for transmitting, storing, accessing, or processing cardholder data.
    Compliance requirements. In general, the greater the annual volume of transactions the more stringent the security requirements. Compliance is required on a per-merchant account (MID) basis, which means that for departments with multiple MIDs each account has to be reviewed to ensure cardholder data is being handled correctly. The security requirements are inline with industry best practices.
    Penalties for Non-compliance (Visa). The credit card companies may impose penalties or fines on members, merchants, or their agents. Members or merchants are subjected to fines up to USD500,000 per incident if there is a compromise on their network resulting in the loss or theft of cardholder information, and the network was subsequently found to be non-compliant at the time of the compromise.
    Also, if a member or merchant fails to immediately notify credit card companies of suspected or confirmed loss or theft of transaction information, the member or merchant will be subject to a penalty of up to USD100,000 per incident. If merchants fail to pay fines, then the credit card companies may deny the privilege of accepting credit cards.
    Responsibilities. Members must comply with PCI, and are responsible for ensuring that their merchants, service providers, and their merchants’ service providers are compliant as well.
    Deadlines. The deadline for PCI compliance for merchants with 20K to 6,000K transactions per year (referred to as level 3 and 2 under PCI) was June 30, 2005. If a security breach occurs today resulting in compromise of a customer’s cardholder account data, the Company could be subjected to penalties or fines.
    Regards,
    Milan



  • It is indeed very wise to ensure this field is controlled. Milan has offered a wealth of information and having researched general security needs in the past, it is good planning to ensure to highly sensitive customer information like this is highly protected.
    Some high level ideas include:

    1. Research and plan this thoroughly - Google or other searches on ‘Protecting Credit Card information’ might help you. Work with your DBAs, development team, and security folks to develop an optimal solution. Evaluate and use the best practices out there.
    2. Ensure customer information is not easily exposured on your outbound Internet servers (you can shake hands between the Internet and application servers through special ports and other techniques)
    3. Use SSL encryption in your applications if they are web based
    4. Definitely encrypt this field and any other related fields
    5. Only allow the most trusted ‘need to know’ folks access it. Otherwise display all ‘*’ across the screen
    6. The use of a 3rd party processing firm is always a good option, if it’s too difficult to secure internally.
    7. While information protection is essential for SOX and other requirements, recognize that one major slipup (where a hacker/cracker might gain access) could be detrimental to your public relations and you could incur some liabilities.
      Good luck and I hope you find a good protective solution 🙂


  • I am working on my first PCI project. The main thing to bear in mind is that PCI has no interest in internal financial systems only the operational system handling card holder information.
    This organisation has avoided SOX so far so I am only working on controls for a small set of applications.
    The principle here is that card holder information is masked on all applications - Senior Manangement and Information Security have to approve requests for ‘Clear Card’ access - all access is auditable.
    That said the IT controls are much the same for PCI and SOX.
    One difference is that the line ‘We are not a bank’ that I have heard on projects in manufacturing companies does not apply here.



  • …That said the IT controls are much the same for PCI and SOX.
    Much of the PCI Data Security Standards has its roots in the data security requirements that were developed to comply with HIPAA. The SOX act was enacted after the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II). Thus, there are distinct similarities in the HIPAA compliance requirements and the PCI Data Security Standards.
    hipaa.org/
    Regards,
    Milan



  • While I need to update PCI links and key information, there are numerous items captured in this past post:
    PCI Resources Master List
    http-and-#58;//msmvps.com/blogs/harrywaldron/archive/2008/08/12/payment-card-industry-data-security-standard-key-resources.aspx


Log in to reply