Most major credit card companies have adopted the Payment Card Industry (PCI) Data Security Standard, which was jointly developed by VISA and MasterCard. Adopters of the standard include American Express, Diners Club, Discover, and JCB International.
According to Qualsys, MasterCard intends to make annual self-assesments and quarterly security scans manditory beginning June 30 for all online members, merchants, and service providers who process more than $125,000 gross per month in credit card transactions.
The PCI standard requires that companies adhere to a specific set of information security requirements or risk heavy fines and face the possibility of becoming barred from processing credit card transactions. Numerous companies already comply with the standard and many security-related companies also provide auditing services and products that help with compliance.
Among the requirements are to maintain a firewall and intrusion detection system, hire an approved third-party auditor to perform quarterly external vulnerability testing, and to monitor file integrity including non-data files. The requirements also the need to render cardholder data unreadable by using one way hash functions, encryption, data truncation, or index tokens. Companies must also maintain an audit trail that dates back at least one year, implement an incident response plan, and much more. The full details of the requirements can be found at VISA's and MasterCard's Web site.
Note: This article was corrected 21 Apr 05 to reflect a correct dollar amount ($125,000) and the requirements for quarterly and annual security audits.