.JPG)
Credit Card Security from an IT Perspective
By Chris Hecht
Your association’s Web site likely offers members the option of purchasing products and registering for events online with their credit cards. Members enjoy the convenience of making transactions anywhere and anytime, and your association enjoys expanded revenue opportunities. But along with this convenience comes the threat of credit card fraud, which the Federal Trade Commission has found is the most common form of identity theft. Maintaining secure information systems provides your organization with the main line of defense in protecting members’ personal information against theft and fraudulent use.
The PCI Security Standards Council—a consortium of stakeholders in the personal credit card industry (PCI)—has developed an industry-wide technical security standard for organizations to adopt in protecting account holder information. The most recent version, 1.1, was released in September and appears below.
Association leaders should check with their IT departments that they are in compliance with these standards. Some of standards may require allocation of additional association resources—for example, purchasing anti-virus updates—in order to protect private member information. Other standards may require executive directions to the IT department, such as requiring a written information security policy.
PCI Data Security Standard
|
Principle
|
Requirement
|
|
Build and Maintain a Secure Network
|
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
|
|
Protect Cardholder Data
|
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
|
|
Maintain a Vulnerability Management Program
|
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
|
|
Implement Strong Access Control Measures
|
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
|
|
Regularly Monitor and Test Networks
|
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
|
|
Maintain an Information Security Policy
|
Requirement 12: Maintain a policy that addresses information security
|
Source: PCI Security Standards Council, 2006.
T here are tools that help organizations support data security standards, including secure sockets layer (SSL) or digital certificates and secure Internet gateway services between businesses and credit card networks. Digital certificates—for example, Thawte—validate your association’s Internet identity, thereby building trust in your Web site. In addition, digital certificates protect data transmission through encryption. Internet gateways, such as Authorize.net, route credit card payment information through secure networks.
Resources
For more information on the topics in this article, visit the following Web sites.
PCI Security Standards Council: https://www.pcisecuritystandards.org.
Details on SSL: https://www.thawte.com/ssl-digital-certificates/ssl-info/index.html.
How Authorize.net works: http://www.authorize.net/company/whatwedo/.