PCI Reports

The Cardholder Information Security Program (CISP) is a set of rules established by Visa for securing your computer systems and data from unauthorized access and loss of credit card information. These rules have been in place for several years and were required of large credit card processors, but were only recommendations for most merchants accepting credit cards.

The Payment Card Industry (PCI) data security standard is an industry-wide standard that incorporates many of the CISP standards and adds additional requirements. These are now generally referred to as the PCI data security standard or the PCI-CISP data security standard. Mastercard, American Express, Discover, and other card issuers use the new PCI standard as a part of their data security programs.

There are slightly different rules for different credit card issuers. For Visa, any merchant processing over 500,000 transactions a year must comply with PCI-CISP rules. For Mastercard, any merchant accepting $125,000 in transactions in a month must comply with PCI-CISP rules. Any loss of data will certainly result in audit and rules requirements. You should consult with your bank or card processing vendor to determine if you must meet PCI-CISP rules.

Even if you don’t meet the minimum requirements for PCI-CISP compliance, there are other good reasons to meet these rules. Complying with PCI-CISP will help in meeting other state and federal regulations for data security, such as California Privacy Notification, Sarbanes-Oxley, HIPAA, Gramm Leach Bliley (GLBA), and others. You will find a great deal of information on PCI and CISP at visa.com/cisp.

Merchants for whom Visa PCI-CISP rules are mandatory should have been compliant by June 30, 2005. Any merchant who processes more than 6 million transactions a year, or who is required by another card brand to submit to audit, or who has experienced a data loss, must pass a PCI-CISP audit by an independent assessor.

PCI-DSS

The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis.

The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

The PCI Security Standards Council will enhance the PCI DSS as needed to ensure that the standard includes any new or modified requirements necessary to mitigate emerging payment security risks, while continuing to foster wide-scale adoption.

Ongoing development of the standard will provide for feedback from the Advisory Board and other participating organizations. All key stakeholders are encouraged to provide input, during the creation and review of proposed additions or modifications to the PCI DSS.

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized.

More information:

PCI Security Standards

Compliance Monitor Solutions for the PCI Data Security Standard

PCI is not a government regulation; it is a requirement of private industry, namely the credit card issuers like VISA and Mastercard. It is much more specific than many of the laws and regulations that have been passed by federal and state legislators in recent years.

The PCI standard consists of 12 main requirements. Parts of the PCI standard that apply to IBM i, and Powertech Compliance Monitor for IBM i's PCI reports can help you address, are provided below:

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Requirement 8: Assign a unique id to each person with computer access
Requirement 11: Regularly test security systems and processes
Requirement 12: Maintain a policy that addresses information security for employees and contractors

Find these in the Regulatory Recommendations Report Group (see Reports and Regulatory Recommendations).

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
4.4 | 202410080134 | October 2024