PCI承諾：在良好的迴避策略之下被看出的價值

Safeguarding customer data is a necessary component of good business practice, yet the numbers of data breached accounts are at an all time high. Data security has not been given front line priority, and as a consequence an environment of mistrust of the card eco-system has developed among consumers, merchants, acquirers, and issuing banks. To stem this tide, the payment networks have responded with a renewed emphasis, harsher penalties, and more specific deadlines for Payment Card Industry Data Security Standards (PCI DDS) compliance. Merchants are spending untold amounts to come into compliance, and many are confused as to the value of PCI compliance above and beyond fine avoidance. This report explores the challenges and issues presented by PCI compliance from the merchant perspective-including the five biggest compliance problems causing data breaches for merchants-extracting from qualitative executive interviews conducted with the PCI council, payment networks, PCI vendors, Qualified Security Assessors (QSAs), and merchants themselves.

• What is the real value of PCI compliance, aside from avoiding fines?
• What role does state legislation have in PCI compliance?
• What is the nature of merchant confusion with the PCI compliance process, and who is responsible for allaying this confusion?
• How can merchants be assured of “safe harbor” from lawsuits based on their compliance?
• What are the top five security weaknesses facing merchants becoming compliant?
• Are there any innovative approaches to help merchants deal with sensitive data storage?

Merchants, processors, QSAs, ASVs, service providers, vendors, financial institutions (FIs)- issuers and acquirers, and payment networks

• American Online
• American Express
• CardSystems
• Chase Paymentech
• Citigroup
• Dai Nippon Printing Company
• Data Processors International
• Electronic Payment Exchange
• Fidelity National Information Services
• KDDI
• MasterCard
• National Retail Federation
• Shift4
• Symantec
• TD Ameritrade
• TJX Companies
• TrustWave
• UPS
• US Department of Veteran Affairs
• Visa

• Overview
• Primary Questions
• Findings and Analysis
• What Is the Real Value of PCI Compliance?
• Consumers Will Reward Security Leaders, But How to Tell?
  • Consumers Prefer a PCI-Brand to Help them Feel Safer When Shopping
• “Safe Harbor” Needed to Ensure Conformity and Effectiveness for Merchants
  • What Do State PCI and Data Breach Laws Imply for Merchants?
• Is Effective QSA Management a Missing Link in the PCI Compliance Process?
• Even with Progress in Outreach and Education, Merchant Confusion Lingers
• Despite Strong Improvement, All Payment Networks Must Be Actively Involved
• The Cost of PCI Compliance: Is it Worth the Expense?
• What Are the Five Top Weaknesses for Merchants Facing Compliance?
  • Highly Distributed , Sensitive Data,
  • Data Controlled by Third Parties or Taken Off-Site
  • Problems at the POS
  • Legacy Systems and Niche Applications Bring Heightened Risk
  • Lack of Logging and Oversight
• Innovative Approach: Eliminate Storage and Passage of Card Information
  • Standing PCI Compliance on its Head
    • EPX BuyerWall
    • Shift4' s SafeSwipe
• Where Is PCI Compliance Heading in 2008?
  • Merchant Questions Linger over PCI DDS 6.6
  • Payment Application-Data Security Standard (PA-DSS)
• Appendix
• Related Research
• Glossary

• Figure 1: Top Ten Largest Publicly Reported Security Breaches
• Figure 2: Consumers Are More Inclined to Shop at merchants that Are Security Leaders
• Figure 3: Consumers Feel Most Protected by a Brand When Shopping
• Figure 4: Current PCI State PCI Bills and Outcomes for Merchants
• Figure 5: Payment Networks Are Managing their Acquirers, Acquirers Are Managing their Merchants: Who Is Managing the QSAs?
• Figure 6: Inconsistencies among PCI Programs and the Lack of a Universal PCI Support Center Are Preventing Higher Compliance Rates
• Figure 7: Slow but Steady Progress in Compliance Rates for Visa Merchants
• Figure 8: Compliance Costs for Level 1 or 2 Merchant
• Figure 9: Costs of Non-Compliance for Level 1 or 2 Merchant
• Figure 10: Compliance Costs/Steps for a Level 4 Merchant
• Figure 11: Which Cardholder Data Elements Can Be Stored under PCI Compliance Rules?
• Figure 12: Payment Application-Data Security Standards (PA-DSS) Timeline
• Figure 13: Consumer Viewpoint: Who Is Least Secure in Protecting Account Information?
• Figure 14: Definitions of Merchant Levels One to Four
• Figure 15: Visa PCI Compliant Merchants as of August 31, 2007