PCI/CISP Certification: Your 101 Guide
Credit Card Companies Actions
You would be hard pressed to find a person not worried about identity theft in the modernized world. What many people may not know is what credit card companies have done to help minimize identity theft over the past decade. The large credit card companies have developed the Payment Card Industry Data Security Standard, or the PCI, and the Cardholder Information Security Program, or the CISP. These two standards were put into place starting in 2004. What do these two things mean and how do they help protect from identity theft?
The PCI and the CISP provide industry wide standards for the way credit card transactions are handled by merchants. The standards were developed over the course of time through carefully selected best practices to ensure financial data privacy and security. These standards apply to all transaction types such as: Brick and motor, mail order, telephone sales and online. These standards are required of merchants and providers to help protect consumers’ personal data and help protect from identity theft and other fraud.
The standards protect data through the use of encryption, access control, physical security and frequent auditing. The encryption standard is a minimum of Triple-DES 128-bit or AES 256-bit is required wherever consumer data is located, HTTPS has to be a part of the URL and Secure Socket Layer certificates must be used. Access control and physical security entails prohibiting access to persons not directly required to work with consumer data through the use of limited entry doors, Personal Identification Numbers and secured gateways for wireless networks. Auditing is performed by certified auditors and consists of testing for vulnerabilities in the networks, websites and systems infrastructure that may be exploited. Merchants not meeting PCI standards can be penalized with the following:
$500,000 in fines (per incident)
Complete loss of ability to process card transactions
$10,000 in monthly fines
Major public relations crises
Certification or Compliance
Merchants and providers wishing to become PCI/CISP compliant and PCI/CISP certified must meet certain requirements. The requirements for each may differ significantly in some areas. The stricter of the two is PCI/CISP certification. Merchants that achieve the PCI/CISP certification offer a higher level of security for their consumers. Certified merchants have made significant investments in their computer hardware and software to meet the guidelines set by the PCI. These merchants may have made changes to their buildings to meet guidelines; they are required to get audited frequently by certified auditors. PCI/CISP compliance means a merchant follows the PCI DSS guidelines which do not offer the same level of security as certification especially being they are only checked yearly; this makes it easier for customers’ data to be stolen through various vulnerabilities.
Identity theft affects millions of people each year. Quite often identity theft is the result of inadequate safety measures regarding consumer’s credit card data. Any time a consumer is the victim of identity theft it is very stressful. They have to make many phone calls to authorities and fill out numerous reports; they still may face tarnished credit as a result. The business may lose many customers due to a security breach involving consumers’ data. The consumers may feel they cannot trust the business afterword. Merchants realize it is less expensive to become PCI/CISP certified then it is risk a major security breach.
The big name credit card companies have developed and enforced two standards to help protect against identity theft and fraud. These two standards are the Payment Card Industry Data Security Standard, or the PCI, and the Cardholder Information Security Program, or the CISP.