Why we changed this site: Click here to find out why the website changed.

Close
Created by e-skills uk

e-skills UK Guide

IT legislation and regulation

IT legislation and regulations for credit card merchants

Running a business means juggling a series of competing pressures, some of which are more important than others. At the top of the list of things to do must be your legal and compliance requirements, as failing to remain on the correct side of the law can result in prosecution or a withdrawal of services or facilities.

We have covered two significant pieces of legislation, the Data Protection Act and the Regulation of Investigatory Powers act in this guide here;

In addition we explained eBusiness specific legislation in this guide here;


In this guide we will focus on the Payment Card Industry Data Security Standards (PCI DSS) as they affect credit card merchants.

How do these rules affect a merchant?

When processing credit card payment details you are given access to a customer’s card details including the main card number, expiry data, validation number and the card holder’s address. Clearly this information is of great interest to a criminal, and if your database of customer credit card details was ever stolen or misplaced many customers could be compromised.

The scale of “card holder not present” fraud has increased markedly over the past few years as more goods are sold remotely across the internet.

In an effort to tighten up security of credit card data card issuers have got together to set up a number of rules that must be adhered to by merchants storing credit card details on a computer system. These rules are called the Payment Card Industry Data Security Standards (PCI DSS). Although these rules are not enshrined in law as such, if you fail to adhere to these rules then you may be fined by the card issuer or have your credit card merchant status removed.

PCI DSS regulations are only applicable if you store customer credit card details in a computer system. If you keep them on paper then you are not directly subject to these rules.

What are the PCI-DSS rules?

There are 12 PCI rules that a merchant must adhere to. These rules put in place basic IT security requirements and should prevent credit card data from being stolen. The good news is that these rules reflect what is considered best practice anyway. This means that you should really be employing these standards as part of your IT based security whether or not PCI DSS is applicable to you or not;

  • Install and maintain a firewall configuration to protect cardholder data. A firewall is a device that prevents people entering your computers across the network and stealing data or corrupting your system.
  • Change the default passwords for your computer systems into something only you know
  • Protect stored cardholder data from being accessed by anyone other than those needing for their work
  • Encrypt cardholder data so it is not readable to anyone without a password
  • Use and regularly update anti-virus software so that your systems can’t be contaminated
  • Develop and maintain secure systems and applications. This way you make it more difficult for people to access your data
  • Restrict access to cardholder data on a need-to-know basis, as not everyone in your business needs access to this data.
  • Assign a unique ID to each person with computer access so you can trace who is accessing what data
  • Restrict physical access to cardholder data, for example lock away the data disk or server
  • Track and monitor all access to network resources and cardholder data, so that any ‘unlawful’ access can be detected
  • Regularly test security systems and processes to make sure they are all working
  • Maintain a policy that addresses information security and make sure everyone understands it

Where can you get further information?

We have a number of guides that address IT security issues in more depth here;

PCI DSS is an evolving standard. The rules are changing based on feedback from merchants and card issuers alike. It is strongly suggested that if you are affected by PCI DSS that you contact your service provider and check your specific situation.

In the meantime these links may be useful;      

Rate This:
i
Bookmark this page:
DiggDigg
del.icio.usdel.icio.us
redditreddit
FacebookFacebook

What Now

floppySave this guide to your profile
printPrint this guide
pdfDownload the guide in PDF version *

* In order to print the guide or open it in PDF format, you will need to install Adobe Acrobat Reader.

Send to a friend

Friend's Name
Friend's Email
Submit

Credits

Close

You have:

0

Credits

For FREE UNLIMITED access:

Login to your account

Email:
Password:

Forgot your password?

Login
Not a member already?
Register Here
You don't want to login? Cancel
Quick Registration

Quick Registration

Get unlimited* access to guides, tips and facts, by becoming a FREE member.

Email:
Password:
Re-type Password:
First name:
Company name:
County:
Region:
Sign up for free site updates
REGISTER FREE
Already a member? Login Here
Don't want FREE access? No Thanks

Registration Benefits

Post Code

Hello User,

In order for us to provide you with the most relevant information, please supply us with your postcode so we can determine your region.

Thank you

Your Post Code:
submit
No Thanks