Article: PCI DSS - penalty of not being compliant Journal: International Journal of Auditing Technology (IJAUDIT) 2014 Vol.2 No.1 pp.37 - 46 Abstract: PCI security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. To be PCI compliant, credit card merchants should respond to a series of requirements imposed by the credit card industry. The internal audit and information security team should work together to achieve the PCI compliance. The information security experts design and implement technologies to secure the resources. Continuous audit, both internal and external, provides feedback on the effectiveness of these technologies in protecting the information and provides suggestions for improvement. In this paper, we explain the importance of being PCI compliant, the consequences of not being PCI compliant through a real-life case study of an insurance company. We also describe the importance of internal auditing and why should internal audit be conducted periodically. The case also demonstrates the need for compliance and the issues around the payment card industry in terms of data security pertaining to cardholder data. The case further explains the cost associated in terms of non compliance and/or breach of cardholder data, penalty that has to be paid to the member banks. Inderscience Publishers - linking academia, business and industry through research

Title: PCI DSS - penalty of not being compliant

Authors: Umesh Hodeghatta Rao; Umesha Nayak; R. Gopalakrishnan

Addresses: Xavier Institute of Management, Chandrashekarpur, Bhubaneswar, India ' MUSA Software Engineering Pvt. Ltd., J.P. Nagar, 2nd Phase, Bangalore, India ' Cognizant Technology Solutions, #5/535, Old Mahabalipuram Road, Okkiyam Thuraipakkam, Chennai, Tamil Nadu 600096, India

Abstract: PCI security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. To be PCI compliant, credit card merchants should respond to a series of requirements imposed by the credit card industry. The internal audit and information security team should work together to achieve the PCI compliance. The information security experts design and implement technologies to secure the resources. Continuous audit, both internal and external, provides feedback on the effectiveness of these technologies in protecting the information and provides suggestions for improvement. In this paper, we explain the importance of being PCI compliant, the consequences of not being PCI compliant through a real-life case study of an insurance company. We also describe the importance of internal auditing and why should internal audit be conducted periodically. The case also demonstrates the need for compliance and the issues around the payment card industry in terms of data security pertaining to cardholder data. The case further explains the cost associated in terms of non compliance and/or breach of cardholder data, penalty that has to be paid to the member banks.

Keywords: PCI standard; PCI compliance; information security; payment card industry; data protection; credit card industry; credit cards; insurance industry; internal auditing.

DOI: 10.1504/IJAUDIT.2014.064316

International Journal of Auditing Technology, 2014 Vol.2 No.1, pp.37 - 46

Received: 20 Nov 2013
Accepted: 12 Feb 2014
Published online: 28 Aug 2014 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article

Title: PCI DSS - penalty of not being compliant

Keep up-to-date