CISP, SDP, DISC…What Security Standards Do You Follow

As a merchant, you accept Visa, MasterCard, American Express and Discover.  You have learned that each card brand has its own set of data security standards guidelines. So, which one do you follow? Good news! The card industry has made that decision for you.

A Little History

The PCI Security Standards Council (PCI SSC) was formed in December, 2004 by the major card brands (Visa, MasterCard, American Express, Discover and JCB) to educate and enhance the security standards in the credit card industry.  Prior to 2004, each card company had developed their own set of data security standards programs:

Visa – CISP (Cardholder Information Security Program)

MasterCard – SDP (Site Data Protection)

American Express – DSS (Data Security)

Discover – DISC – (Data Security Guidelines)

Some of the requirements were redundant and merchants were confused as to which one to follow. Even if a merchant only accepted Visa and MasterCard (bundled together in merchant processing agreements), there were some differences in each of their security programs. The agreement within the council was that if a merchant is CISP compliant, all the other card companies would consider the merchant to be compliant. After all, Visa has been the principal initiator for compliance over the years, with the other companies following suit with their own flavor. Additionally, the council agreed upon a uniform set of standards (PCI DSS) to simplify compliance for merchants.

The Standard Today

The PCI DSS (Payment Card Industry Data Security Standard) is the generalized term for PCI compliance today and governs all payment channels – retail (swiped), mail order, telephone order and e-commerce. It is divided into 12 security requirements, originally developed by Visa in 1999 (known then as the “digital dozen”).

The Standards Security Council does not validate PCI compliance or impose fines for non-compliance. What they do is own and enforce a uniform set of data security standards as well as provide training and certification for Qualified Security Assessors (QSAs) and Approved Scan Vendors (ASVs). The QSAs and ASVs exist to validate compliance and to interpret the PCI DSS for merchants and acquiring banks. On the flip side, each card brand has outlined specific fines for non-compliance and merchants are fined accordingly. For example, Visa imposes a $5,000 fine for a mid-sized retailer who is not in compliance with the PCI DSS. The good news is that in January of 2008, according to Visa, more than three-quarters of large U.S. merchants, and nearly two-thirds of medium-sized retailers, are in compliance with the Payment Card Industry Data Security Standard (PCI DSS). To further promote PCI DSS, Visa has also imposed financial incentives for compliance.

Although important for merchants to follow the current compliance standards, it is more important for merchants, software developers, payment processors and acquirers to be proactive in data security. Hackers will always be out there trying to break in, even if just to say they can do it. The PCI SSC is doing a good job, but I give kudos to anyone staying one step ahead of the game. Be a leader, not a follower.