The new PCI DSS 6.6 rules for businesses that process credit card transactions to protect their web applications from hackers went into effect on June 30. Merchants that fail to meet the Payment Card Industry Data Security Standard (PCI DSS) may face heavy fines of up to $500,000 levied by credit card companies.
The rules are important because if businesses take them seriously and try to mitigate web application attacks, credit card number thefts could be reduced by nearly half, according to the vigilant authors at PCI Blog (PCI DSS Requirements 6.6).
But these web application security regulations that used to be best-practices are now mandatory and it’s going to catch a lot of businesses off-guard. Businesses that fail to deploy a web security audit tool from recognized experts simply won’t be security compliant.
Many businesses may want to comply with PCI but need more information. Here are some tips:
1. There are four levels of merchant classifications that require different standards of compliance. Check which merchant level applies to you on the Visa Cardholder Information Security Program page. Your merchant classification affects the kinds of steps your business needs to take to become PCI compliant.
2. You need to fill out a self-assessment questionnaire (except if you are a Level 1 vendor) to evaluate your current level of PCI compliance. The document can be downloaded from the PCI Security Standards Council Website.
3. The PCI Security Standards Council site also has an FAQ for detailed answers to common PCI questions that businesses might have. For example, "is the implementation of encryption of cardholder data alone sufficient for PCI DSS compliance?" (Short answer: No).
The process of becoming PCI compliant involves many other questions, but fortunately, there are experts who can help. Other PCI tips are welcome.
Vaclav Vincalek July 11th, 2008 11:22:35 AM