Software

The Fundamentals of PCI DSS

The Fundamentals of PCI DSS

The Fundamentals of PCI DSS

Organizations which receive payments through credit cards are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS applies to all businesses performing any transaction using credit cards, including online shops and those selling goods. In order to ensure data security, the PCI SSC has created a set of standards known as the PCI DSS Token Rules. These rules make it mandatory for companies to follow certain certain guidelines when setting up accounts, selecting a merchant to do business with, and when entering into contracts.

An example of these rules is setting up accounts with the following details:

o Separate accounts are created for each country. Keep them separate to ensure you are protected if your business is forced to share your information with another.

o Credit card value tokens are used to identify fraudulent transactions.

o The credit card value tokens are usually transferred in minimum 10,000 per month.

o The fraud detection rate of the credit card value tokens is typically less than 20%.

o The cost of fraud detection is more than $1 million.

o The cost of policing is more than $2 million.

o There is no requirement for merchants to be individually responsible for maintaining security.

o A merchant opting to not comply with the standard by maintaining two separate identity definitions may still be held responsible for the actions of the company as a whole.

The PCI DSS provides for a standardized public key infrastructure for storing information on a computer. However, software writers must follow certain guidelines when including sensitive information in a program. This includes information that could be used by third parties to combat the owner of the information. The guidelines are simple, but could be meticulous:

(1)The information should not be likely to be used to identify a specific person.

(2)The information should not be likely to be exceeded by a third party.

(3)The amount of information should not be significantly excessive.

(4)The guidelines should require that any data that may be retained by the merchant must be destroyed after a specified amount of time.

Not everyone agrees with the strict guidelines the PCI DSS sets forth. Some entities follow the standards because they are enforced by other entities, such as banks. These entities must follow the rules because they were implemented to comply with the standards. Failure to comply could result in the freezing of your account and the commission of a crime against you.

The next class of standards deals with encryption. Encryption is the means by which information on a computer is protected. Information which is sent over the Internet is not receiving fair consideration in that there are several countries in the world which deny the rights of others to access information on their computers. It is this act which is in essence breaking down the data into pieces so that it is not received back into the original piece of work. The encryption is achieved using a mathematical scrambling algorithm.

Under the PCI DSS, companies are required to maintain a high level of security by using encryption whenever sensitive data is stored. This mean that company must use DDoS protection, start coding with PHP, integrate an application firewall, and secure all data with SSL certificates. Not many businesses can abide by these rules, much less stick to them.

The final rule of the PCI DSS deals with prompt notification to customers of a breach of the security rules. Customers should be informed of the risk of a breach as soon as possible. Developers must paint a clear and readable picture for the customer of what is happening with the application. Customers should be offered a way to opt out if they do not want to use the services or see a refund.

Companies which do not abide by the standards can expect to be acceded to by other companies who follow the same rules. ThisAEsAlsoicates hosting companies who host virtual servers or virtual private servers must follow the standards. Hosting companies who do not follow the standards may even be denied access to any virtual servers or VPS.

The virtual private server (VPS) rule is one of the more important rules to the virtualization rules since it deals with data security. Since a lot of transactions are made through remote user interfaces or virtual terminals, it is important to know that the security standards on a virtual server can make or break a company. If these rules are not being followed then customers could have their data protected by a virtual machine or a remote user interface.

The PHP/MySQL virtual server rules are important since many applications use the language and protocols to talk to databases. If these rules are not being followed then many confidential details about the user database tables will be exposed. For example, if the user registers a new contact they will need to fill in the query form to verify whether they really have the correct information in their database. An attacker could simple use this information to authenticate with their user account.