On Tue, Aug 3, 2010 at 3:02 PM, E-Mail Sent to this address will be added to the BlackLists <[email protected]> wrote: > Danny Mayer wrote: >> Ryan Malayter wrote: >>> PCI requirements > >> Ryan can you please give quote the reference to this document? > > <http://pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf> > >> You also didn't state in what jurisdiction this is valid. > > Compliance is mandated by the payment card brands. > e.g. American Express, Discover, MasterCard, Visa, ... > are all involved. >
Correct. Any organization that accepts credit/debit cards anywhere in the world should be very familiar with the Payment Card Industry Data Security Standards (PCI-DSS). The initiative has been ongoing for five years or more, and July 1, 2010 was a recent deadline for organizations to comply or start getting fines for using non-compliant systems for handling credit card data. Basically, if you're not PCI-DSS complaint, the card companies or your processor can fine you, or simply cut you off at their discretion. They may also assume little or no financial liability for fraudulent transactions if you are not complaint at the time of a card-holder data compromise. Time synchronization is just one very small piece of the PCI-DSS requirements. Depending on the category of merchant you are, there might be hundreds of security-related policy and technology requirements you need to address. It's not inexpensive, but the massive amount of online card fraud and huge number of woefully insecure web applications made it a necessity. Many organizations are simply moving to outsourcing all credit/debit card transactions so that none of their systems ever see card data at all. This puts you in the "easiest" category for PCI-compliance. https://www.pcisecuritystandards.org -- RPM _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
