PCI Compliance

Reviews

Shared by: KyleEfaw

Tags

pci compliance, pci dss, data security, payment card industry, pci data, security standards, payment card industry data security stan..., credit card data, pci standard, compliance requirements, application security, standards council, vulnerability management, compliance solutions, risk management

Stats

views:: 22
rating:: not rated
reviews:: 0
posted:: 9/15/2009
language:: English
pages:: 0

Public Domain

Syndicated Report Brochure PCI Compliance: Finding Value beyond Fine Avoidance November 2007 Telephone: 925.225.9100 Fax: 925.225.9101 Address: 4309 Hacienda Dr., Suite 380 Pleasanton, CA 94588 Email: inquiry@javelinstrategy.com Web site: www.javelinstrategy.com Syndicated Report Brochure PCI Compliance: Finding Value beyond Fine Avoidance Overview Safeguarding customer data is a necessary component of good business practice, yet the numbers of data breached accounts are at an all time high. Data security has not been given front line priority, and as a consequence an environment of mistrust of the card eco-system has developed among consumers, merchants, acquirers, and issuing banks. To stem this tide, the payment networks have responded with a renewed emphasis, harsher penalties, and more specific deadlines for Payment Card Industry Data Security Standards (PCI DDS) compliance. Merchants are spending untold amounts to come into compliance, and many are confused as to the value of PCI compliance above and beyond fine avoidance. This report explores the challenges and issues presented by PCI compliance from the merchant perspective―including the five biggest compliance problems causing data breaches for merchants―extracting from qualitative executive interviews conducted with the PCI council, payment networks, PCI vendors, Qualified Security Assessors (QSAs), and merchants themselves. Primary Questions • • • • • • What is the real value of PCI compliance, aside from avoiding fines? What role does state legislation have in PCI compliance? What is the nature of merchant confusion with the PCI compliance process, and who is responsible for allaying this confusion? How can merchants be assured of “safe harbor” from lawsuits based on their compliance? What are the top five security weaknesses facing merchants becoming compliant? Are there any innovative approaches to help merchants deal with sensitive data storage? Merchants, processors, QSAs, ASVs, service providers, vendors, financial institutions (FIs)—issuers and acquirers, and payment networks Rachel Kim, Associate Analyst Mary Monahan, Partner and Editor Bruce Cundiff, Research Director Audience: Authors: Publication date: November 2007 Price: Length: $1,500 ►26 pages ►15 charts/graphs Telephone: 925.225.9100 Fax: 925.225.9101 Address: 4309 Hacienda Dr., Suite 380 Pleasanton, CA 94588 Email: inquiry@javelinstrategy.com Web site: www.javelinstrategy.com Syndicated Report Brochure PCI Compliance: Finding Value beyond Fine Avoidance Table of Contents Overview ...................................................................................................................................................... 3 Primary Questions ...................................................................................................................................... 3 Findings and Analysis ................................................................................................................................ 3 What Is the Real Value of PCI Compliance?............................................................................................. 4 Consumers Will Reward Security Leaders, But How to Tell? ................................................................ 6 Consumers Prefer a PCI-Brand to Help them Feel Safer When Shopping .............................. 7 Safe Harbor” Needed to Ensure Conformity and Effectiveness for Merchants ................................... 8 What Do State PCI and Data Breach Laws Imply for Merchants? ............................................ 8 Is Effective QSA Management a Missing Link in the PCI Compliance Process?............................... 11 Even with Progress in Outreach and Education, Merchant Confusion Lingers................................. 13 Despite Strong Improvement, All Payment Networks Must Be Actively Involved ............................. 15 The Cost of PCI Compliance: Is it Worth the Expense? ....................................................................... 16 What Are the Five Top Weaknesses for Merchants Facing Compliance? .......................................... 18 Highly Distributed , Sensitive Data, .............................................................................. 18 Data Controlled by Third Parties or Taken Off-Site..................................................... 18 Problems at the POS....................................................................................................... 19 Legacy Systems and Niche Applications Bring Heightened Risk ............................. 19 Lack of Logging and Oversight ..................................................................................... 19 Innovative Approach: Eliminate Storage and Passage of Card Information ...................................... 20 Standing PCI Compliance on its Head....................................................................................... 20 EPX BuyerWall ................................................................................................................ 20 Shift4’s SafeSwipe .......................................................................................................... 20 Where Is PCI Compliance Heading in 2008? .......................................................................................... 21 Merchant Questions Linger over PCI DDS 6.6 .......................................................................... 21 Payment Application-Data Security Standard (PA-DSS) ......................................................... 21 Appendix .................................................................................................................................................... 22 Related Research ...................................................................................................................................... 24 Glossary ..................................................................................................................................................... 25 Telephone: 925.225.9100 Fax: 925.225.9101 Address: 4309 Hacienda Dr., Suite 380 Pleasanton, CA 94588 Email: inquiry@javelinstrategy.com Web site: www.javelinstrategy.com Syndicated Report Brochure PCI Compliance: Finding Value beyond Fine Avoidance Table of Figures Figure 1: Top Ten Largest Publicly Reported Security Breaches................................................................. 4 Figure 2: Consumers Are More Inclined to Shop at merchants that Are Security Leaders.......................... 6 Figure 3: Consumers Feel Most Protected by a Brand When Shopping...................................................... 7 Figure 4: Current PCI State PCI Bills and Outcomes for Merchants ............................................................ 8 Figure 5: Payment Networks Are Managing their Acquirers, Acquirers Are Managing their Merchants: Who Is Managing the QSAs? .............................................................................................................. 11 Figure 6: Inconsistencies among PCI Programs and the Lack of a Universal PCI Support Center Are Preventing Higher Compliance Rates.................................................................................................. 13 Figure 7: Slow but Steady Progress in Compliance Rates for Visa Merchants.......................................... 15 Figure 8: Compliance Costs for Level 1 or 2 Merchant .............................................................................. 16 Figure 9: Costs of Non-Compliance for Level 1 or 2 Merchant................................................................... 16 Figure 10: Compliance Costs/Steps for a Level 4 Merchant ...................................................................... 17 Figure 11: Which Cardholder Data Elements Can Be Stored under PCI Compliance Rules?................... 18 Figure 12: Payment Application-Data Security Standards (PA-DSS) Timeline ......................................... 21 Figure 13: Consumer Viewpoint: Who Is Least Secure in Protecting Account Information?...................... 22 Figure 14: Definitions of Merchant Levels One to Four .............................................................................. 23 Figure 15: Visa PCI Compliant Merchants as of August 31, 2007.............................................................. 23 Telephone: 925.225.9100 Fax: 925.225.9101 Address: 4309 Hacienda Dr., Suite 380 Pleasanton, CA 94588 Email: inquiry@javelinstrategy.com Web site: www.javelinstrategy.com Syndicated Report Brochure PCI Compliance: Finding Value beyond Fine Avoidance Companies/Organizations Mentioned in Report America Online American Express CardSystems Chase Paymentech Citigroup Dai Nippon Printing Company Data Processors International Electronic Payment Exchange Fidelity National Information Services KDDI MasterCard National Retail Federation Shift4 Symantec TD Ameritrade TJX Companies TrustWave UPS US Department of Veteran Affairs Visa Sample Pages Telephone: 925.225.9100 Fax: 925.225.9101 Address: 4309 Hacienda Dr., Suite 380 Pleasanton, CA 94588 Email: inquiry@javelinstrategy.com Web site: www.javelinstrategy.com Syndicated Report Brochure Health Savings Accounts: Focus on Transactions and Product Development Will Lead to Asset Growth Target Place Your Order as Follows: 1) Call us at 925 225 9100, x26 2) Email us at inquiry@javelinstrategy.com 3) Fax or Mail using the form below: Please send me the following report(s): Report Title Publication Date Price Name_____________________________________Title_________________ Organization__________________________ Division or group_______________ Email______________________Phone______________Fax_______________ Address___________________________________________________ Signature to confirm your order: Payment Method: _______________________________ [ ] Check Enclosed [ ] Invoice me Exp date: [ ] Payment card Visa, MC, AE or Disc. card #: Name on Card: _______________________ __/__ _____________________ Signature_____________________ For invoicing, provide PO number: ________________________________________ (Invoicing is available to financial institutions or publicly owned firms) Note: Reports are provided in electronic PDF form only. Javelin reports are subject to standard terms and conditions, as described on our web site. Javelin will contact you in the future to provide our free research newsletter or other mailings. If you do not wish to receive our newsletter or other mailings, you may advise us of this. Your contact information will not be sold to other organizations. Telephone: 925.225.9100 Fax: 925.225.9101 Address: 4309 Hacienda Dr., Suite 380 Pleasanton, CA 94588 Email: inquiry@javelinstrategy.com Web site: www.javelinstrategy.com