There is a lot of misinformation on the Internet relating to law, credit card details, storage of those credit card details and standards. This article gets to the point of responsibilities of credit card transactions.
Merchants need to understand the importance of Credit Card Security with regards to online transactions. PCI-DSS is a standard that many international
banks and Australian Banks conform to. This is a term of the contract with the merchant. Many people believe that this is a law. It is not. It is a contractual
obligation with the bank that is providing the facilities to the merchant.
What credit card information can be stored?
Standard credit card information such as credit card number, cardholder name, exiry date can be stored as if the information is encrypted when stored on a system
that has a satisfactory firewall system and an up to date commercial antivirus.
What part of the card cannot be stored?
It is contrary to PCI-DSS standards to store sensitive information such as:
- CVV numbers or
- Digital Stripe Data
CCV Number
The CVV or CCV number is (usually) the 3 digital number that is on the back of the card.
Digital Stripe Data
The digital stripe data is contained within the black magnetic strip of your card.
So what are the standards?
The standards are referred to as the digital dozen. They are listed below.
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
The dangers of not complying:
In the event of not complying with PCI Standards, the merchant may be in breach of the agreement with the bank.
This gives the Bank the right to terminate their contract with you.
The other danger is if the credit card numbers that you are storing are stolen, then the bank has the (contractual) right
to force you to pay fees related to the stolen cards.
For further and more detailed information, please visit the PCI Standards Web site.
One Response
[...] Also see the compliance article on PCI Compliance. [...]