[ best p r a c t i c e s : D ata s e c u r i t y b y b rya n j o h n s o n a n d b e n r o t h k e
Best Practices for
PCI, like most information security fundamentals,
is simply focused on attention to detail and risk management.
By now, most IT managers are adequately theft is one of the largest reported customer different levels maintain the same PCI DSS
familiar with the PCI Data Security Standard data breaches to date. technical requirements but vary on proof
(PCI DSS) to know it is a requirement if The $12 million in losses was for costs of validation requirements:
they want to process credit cards. What incurred to investigate and contain the intru- LeveL 1: More than 6 million transactions
frightens many of these managers is they sion, improve computer security and systems, annually across all channels, including
are wading into this unfamiliar territory and and communicate with customers, as well as e-commerce.
are nervous about PCI likely consuming a technical, legal and other fees. TJX also re- ReqUIRement: Annual Onsite PCI Data
significant amount of their staff’s time and ported that it would continue incurring these Security Assessment and Quarterly
department’s budget. types of costs related to the intrusion. Network Scans.
But even the most expensive PCI proj- With a comprehensive and formal secu- LeveL 2: 1 million to just shy of 6 million
ect still pales in comparison to the costs rity program in place, which would sup- transactions annually.
of even a single significant data breach. A port specific PCI requirements relevant to ReqUIRement: Annual Self-Assessment and
single breach can cost millions of dollars to their business, chances are they would not Quarterly Network Scans.
clean up and tens of millions of dollars in be in the situation they are in now: facing LeveL 3: 20,000 to 1 million e-commerce
long-term costs. myriad lawsuits. TJX violated numerous transactions annually.
TJX Companies, for example, is now basic security guidelines and various PCI ReqUIRement: Annual Self-Assessment and
the poster child for how to do things wrong requirements, all of which had a direct fi- Quarterly Network Scans.
when it comes to a breach. The company nancial impact on its earnings. LeveL 4: Fewer than 20,000 e-commerce
announced earlier this year that it took a transactions annually, and all merchants
$12 million loss, equal to 3 cents per share, Understanding PCI Compliance across channel up to 1 million Visa trans-
because more than 40 million credit and Businesses that process credit cards will actions annually.
debit card numbers were stolen from its fall into one of four PCI categories based ReqUIRement: Annual Self-Assessment and
systems during an 18-month period. That on their annual processing volumes. The Annual Network Scans.
BizTechMagazine.com • December 2007 53