There are a number of regulations and standards that have been established to protect the privacy of individuals and to prevent fraud. One of these standards is called the Payment Card Industry Data Security Standard. Here is an overview of how it was established and what it is:
Comprised of Visa, MasterCard, American Express, Discover, JCB, and Diners Club, the Payment Card Industry (PCI) developed the Data Security Standard (DSS), initially based on Visa’s Cardholder Information Security Program (CISP), to help prevent payment card fraud and identity theft. It encourages and enhances cardholder data security and privacy by facilitating a broad adoption of a consistent, global data security standard.
The principle goal of the data security standard is to protect cardholder data at all times, whether processed, stored, or in transit. The PCI DSS has been universally adopted by all major payment card brands and is governed by the PCI Security Standards Council (PCI SSC).
Unlike laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Leahy Personal Data Privacy Security Act of 2009, and Massachusetts 201 CMR 17, all of which are enforced by federal or state governments, the PCI DSS is NOT a legal or regulatory directive but, rather, a contractual obligation. The standard is enforced through a mandatory ‘contract chain’, whereby information security and privacy requirements are passed from payment card companies, to merchant banks and card processors, and eventually merchants, via contract language. As a result, compliance to the PCI DSS transcends both industry and geography and necessitates heavy involvement, if not oversight, from an organization’s legal team.
The PCI DSS consists of 6 main control objectives, is comprised of 12 primary requirements and contains approximately 210 individual controls. The control objectives address:
- Building and Maintaining Secure Networks
- Protecting Cardholder Data
- Maintaining a Vulnerability Management Program
- Implementing Strong Access Control Measures
- Regularly Monitoring and Testing Networks
- Maintaining an Information Security Policy
Failing to effectively manage and protect information while it is processed, stored, and transmitted, can be unlawful and negatively affect business reputation, customer base, employee morale, and revenue.
Both customers and employees expect their personal information to be protected by the organizations with which they do business. They are no longer willing to overlook an organization’s failure to keep their personal information secure and private. Therefore, it is imperative organizations be aware of and educated on all Information Security and Privacy requirements with which they must be compliant; this includes not only applicable laws and regulations but contractual obligations as well.
Bill Murray leads the Information Security and Disaster Recovery team at Westfield Insurance. Sharing Knowledge. Building Trust