About the PCI Data Security Standard (PCI DSS)
The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Click here to view the PCI Security Council official site for further information. 

’08 Navigating PCI DSS (Understanding the Intent of the Requirements)

Without a trained and readily available incident response team, extended damage to the network could occur, and critical data and systems may become “polluted” by inappropriate handling of the targeted systems. This can hinder the success of a post-incident investigation. If internal resources are not available, consider contracting with a vendor that provides these services (Section 12.9.3, Page 36). PCI DSS Version 1.1 Doc 

’08 PCI DSS Self-Assessment Questionnaire (Instructions and Guidelines) 
PCI DSS was designed and includes detailed requirements for exactly this reason—to minimize the chance of compromise and the effects if a compromise does occur. Lack of monitoring (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and file integrity monitoring systems) (Requirements 10.6, 11.2, 11.4 and 11.5) PCI DSS Version 1.1 Doc

Think about whether the storage of that data and the business process it supports are worth the following:

• The risk of having the data compromised.
• The additional PCI DSS efforts that must be applied to protect that data.
• The ongoing maintenance efforts to remain PCI DSS compliant over time.

The new version of the PCI Data Security Standard (version 1.1) became effective January 1, 2007.
Version 1.1 of the PCI Data Security Standard became effective with the launch of the PCI Security Standards Council. Some of the more complex individual requirements contained in the new version of the standard have built-in lead time for implementation. As of January 1, 2007 all new certifications and newly initiated re-certifications must be based on DSS version 1.1. Please consult the individual payment brands regarding certifications or re-certifications based on the January 2005 version of the PCI DSS that are not completed by the end of 2006. https://www.pcisecuritystandards.org/about/faqs.htm#q28

Fines for PCI Compliance and Data Storage

Specifically for PCI compliance, acquirers will be fined between $5,000 and $25,000 a month for each of its Level 1 and 2 merchants who have not validated by September 30, 2007 and December 31, 2007 respectively. For prohibited data storage, acquirers failing to provide confirmation that their Level 1 and 2 merchants are not storing full track data, CVV2 or PIN data by March 31, 2007 will be eligible for fines up to $10,000 a month per merchant, subject to escalation in the event material progress toward compliance is not made in a timely manner. http://usa.visa.com/about_visa/press_resources/news/press_releases/nr367.html

The real cost of PCI compliance is not in getting compliant but the ongoing cost of maintaining compliance. One of the biggest problems Payment Card Industry (PCI) Data Security Standard (DSS) has faced over the past year or so has been Merchant education about PCI DSS and what is needed to achieve compliance.

It has been difficult and confusing for Merchants who have been trying to analyze what equipment, applications, data, etc.. that they already have in place and what sections of the requirements they solve vs. what is needed to achieve compliance. One of the most important factors that many Merchants seem to over look in their analysis is an accurate assessment of the level of service they believe they can provide themselves by managing the ongoing technical management and monitoring of all aspects of compliance themselves. Other factors that are often understated or overlooked all together is the cost in human resources as well as additional equipment, software, licensing and maintenance cost that will be required to achieve and maintain ongoing compliance. This lesson will be learned at the expense of reduced levels of security event response, their employee's diminished quality of life and the realized need to hire additional security personnel to meet the 24x7 monitoring requirements of compliance. This lesson will be learned at the expense of valued employees and hundreds of thousands of wasted dollars to learn that it is impossible for a Merchant to cost effectively respond and manage the shear volume of alerts and false positives that are generated by these network security systems.

Payment Card Industries (PCI) Data Security Standard (DSS) www.pcisecuritystandards.org
The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.

The PCI Security Standards Council's mission is to enhance payment account data security by fostering broad adoption of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International.

By establishing an independent body to govern the security standards for the payments industry, the founding members of the PCI Security Standards Council are creating a unified, global system that is more accessible and efficient for all stakeholders - merchants, processors, point-of-sale vendors, financial institutions, and payment companies alike.

The PCI Security Standards Council owns, develops, maintains and distributes the PCI Data Security Standard (DSS). To improve compliance and reduce costs and lead times for implementation of the standard, the PCI Security Standards Council also defines qualifications for Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs); and trains, tests and certifies QSAs and ASVs.

Merchant Level Merchants who store process, or transmit Visa cardholder data will fall into one of your merchant level based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions from a merchant Doing Business As (DBA).