Menu Content/Inhalt
Home arrow Information Security arrow PCI/CISP Small Business: Appearances are not always what they seem.
PCI/CISP Small Business: Appearances are not always what they seem. | Print |  E-mail
Even small businesses need to comply with PCI/CISP regulations.
Image

Small business and the cost of CISP non-compliance.

Raj Goel, CISSP, CTO Brainlink International, Inc.

/ 917-685-7731

 

The major credit card brands (VISA, MasterCard, American Express and Discover) classifies all merchants in the US into 4 levels:

Merchant LevelDescription
1Any merchant-regardless of acceptance channel-processing over 6,000,000 transactions per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise.Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.Any merchant identified by any other payment card brand as Level 1.
2Any merchant processing 150,000 to 6,000,000 ecommerce transactions per year.
3Any merchant processing 20,000 to 150,000 ecommerce transactions per year.
4Any merchant processing fewer than 20,000 ecommerce transactions per year, and all other merchants processing up to 6,000,000 non-ecommerce transactions per year.


The CISP Requirements

  1. Install and maintain a working firewall to protect data
  2. Keep security patches up-to-date
  3. Protect stored data
  4. Encrypt data sent across public networks
  5. Use and regularly update anti-virus software
  6. Restrict access by "need to know"
  7. Assign unique ID to each person with computer access
  8. Don't use vendor-supplied defaults for passwords and security parameters
  9. Track all access to data by unique ID
  10. Regularly test security systems and processes
  11. Implement and maintain an information security policy
  12. Restrict physical access to data
CISP Penalties

Visa's CISP compliance penalties for failure to comply with CISP standards or to rectify a security issue might result in:

1) Restrictions on the merchant or

2) Permanent prohibition of the merchant or service provider's participation in Visa programs.

3) In addition, the following fines apply for non-compliance, within a rolling 12-month period:

  • First Violation - $50,000
  • Second Violation - $100,000
  • Third Violation - Management Discretion

Did you know VISA can treat Level 3 and Level 4 merchants as Level 1 merchants in the event of a security breach or stolen card holder data traced to your business?


Ask yourself,  as a level 3 or level 4 merchant:
  • Do you have the people and skills required to meet the requirements?
  • Can you pay the CISP penalties?
  • Can you afford the cost of Level 1 compliance?

You should focus on running your business and let Brainlink address your credit card compliancy.
Last Updated ( Thursday, 06 April 2006 )