IP Applications Billing and Payments blog

Most of us have heard of the PCI standard. Some of us have gone through the implementation and maintenance of a PCI compliant system. If you're not familiar with the standard, and what it entails, let me shed a little light on the subject.

PCI, or rather, PCI-DSS, stands for Payment Card Industry Data Security Standard. It is a set of requirements introduced by the PCI Security Standards Council (composed of members that represent American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.) in an effort to ensure the protection of credit card data by organizations that handle the data, such as online stores and billing companies.

What kinds of things are covered by the standard? Well, as a short list: a secure network, protection (encryption) of cardholder data, maintenance of a vulnerability management program, strong access control measures and regular testing of the systems and their security. There are other great sites that provide detail on the standard. http://pcianswers.com for example has a good overview of the standard.

Clearly, the list crosses the boundaries between operations and development and requires a focused effort to achieve compliance.

So, what should you do if you want to handle credit card data? Well, if you have the operational and development skills in house and more importantly the time, compliance is achievable. Our company was fortunate to not only have a development department, but a capable operational department and control of our own datacenter. Often, software focused organizations do not have access to the operational knowledge to ensure all the security measures are in place, or to get them in place. At the very least, depending on your transaction volume, you will need to bring in a third party to actually carry out the required audits.

Be prepared for the ongoing maintenance and updates that come along with PCI compliance. In addition to the scans of the system that must be carried out on a regular basis by an external party, the standard is evolving. For example, by the end of June 08, the standard required that application level firewalls be in place in addition to the network level firewalls.

PCI is a good standard, and the maintenance of our compliance makes use of all of our available technical and procedural skill sets. For those of you just getting involved with the standard, take a close look at all that it entails, and be sure you have the skill sets available to become compliant.