Credit Card Security Compliance StudyConsulting and Training Company E-Commerce Site
Background:
In order to combat the growing threat of identity theft and other forms of cyber crime, the major credit card companies have together agreed to a single set of security standards called the PCI Standards. Mastercard, Visa, American Express, and Diners Club have together agreed to implement these standards and require that all vendors using their respective cards implement such policies as required by the guidelines. The standards went into effect in June 2005.
The PCI Standards vary according to the volume of transactions processed. Depending on volume the guidelines can be mandatory or voluntary for small concerns. Loss of card privileges and fines up to $500,000 per occurrence can be assessed in the event of a breach. These penalties do not apply to those organizations that have adhered to the PCI Standards. At a minimum, the guidelines recommend an annual audit by an independent third party. Very large concerns are required to audit security practices quarterly. Apart from the fines and threatened loss of card privileges, the potential damage to busines from a security compromise of sensitive customer data goes far beyond any imposed fine.
The Study:
Providence Enterprise Group conducted a comprehensive audit of the E-Commerce Site of a prominent Consulting and Training company that offers many of its products through its web site. The audit was conducted using a sophisticated software scan that probed the site and examined it for weaknesses. The product used has been approved and certified by the PCI Standards group. A “Passed” rating meets the requirements of the PCI Standards and is sufficient evidence of compliance required by the standards. Conversely, “Failed” indicates security vulnerabilities that place the company at risk of penalties in the event of a breach.
The initial security scan indicated several vulnerabilities existed. A”Failed” rating was the result. To fix the problem, all the vulnerabilities were identified and remediation steps were recommended. In this case the company IS staff implemented the changes eliminating the vulnerabilities. Providence Enterprise Group re-ran the scan which resulted in a “Passed” rating. The “Passed” certificate was placed in the Security Audit report which satisfied the due diligence requirement suggested by the PCI Standards.