Introduction
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem.
PCI DSS comprises a minimum set of requirements for protecting account data and may be enhanced by additional controls and practices to further mitigate risks, and to incorporate local, regional, and sector laws and regulations. Additionally, legislation or regulatory requirements may require specific protection of personal information or other data elements (
Who Needs to be PCI DSS Compliant?
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). This includes all entities involved in payment card account processing — including merchants, processors, acquirers, issuers, and other service providers. Whether any entity is required to comply with or validate their compliance to PCI DSS is at the discretion of those organizations that manage compliance programs (such as payment brands and acquirers). Contact the organizations of interest for any additional criteria.
PCI Requirements
PCI security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council, American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
The PCI Data Security Standard
The PCI DSS is the global data security standard adopted by the card brands for all organizations that process, store or transmit cardholder data. It consists of common-sense steps that mirror best security practices.
|
Goals |
PCI DSS Requirements |
|
Build and Maintain a Secure Network
|
1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters |
|
Protect Cardholder Data
|
3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks |
|
Maintain a Vulnerability Management Program
|
5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications |
|
Implement Strong Access Control Measures
|
7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data |
|
Regularly Monitor and Test Networks
|
10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes |
|
Maintain an Information Security Policy
|
12. Maintain a policy that addresses information security for employees and contractors |
How to Comply with PCI DSS ?
Merchants and organizations that store, process and/or transmit cardholder data must comply with PCI DSS. The Council takes care of maintaining all regulatory policies pertaining to this matter; but each card brand defines its own set of guidelines related to certification and required filing before gaining access to the network they run on- moreover, they maintain penalties for failure by external parties. For example, American Express’ audit fines are $200 per violation plus associated charges; whereas Discover Media can impose up to $5 million or 5% whichever is higher. Depending on an organization’s classification or risk level (determined by the individual card brands), processes for validating compliance and reporting to acquiring financial institutions usually follow this track:
- PCI DSS Scoping – determine what system components are governed by PCI DSS
- Sampling – examine the compliance of a subset of system components in scope
- Compensating Controls – QSA validates alternative control technologies/processes
- Reporting – merchant/organization submits required documentation
- Clarifications – merchant/organization clarifies/updates report statements (if applicable) upon bank request
About the PCI Security Standards Council
The PCI Security Standards Council (PCI SSC) is a global open body formed to develop, enhance, disseminate, and assist with the understanding of security standards for payment account security. The Council maintains, evolves, and promotes the Payment Card Industry security standards. It also provides critical tools needed for the implementation of the standards such as assessment and scanning guidelines, a self-assessment questionnaire, training and education, and product certification programs. The PCI SSC founding members, American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc., have agreed to incorporate the PCI Data Security Standard as part of the technical requirement for each of their data security compliance programs. Each founding member also recognizes the Qualified Security Assessors and Approved Scanning Vendors qualified by the PCI SSC to assess compliance with the PCI DSS. The PCI SSC’s founding member card brands share equally in the Council’s governance and operations. Other industry stakeholders participate in reviewing proposed additions or modifications to the standards, including merchants, payment card issuing banks, processors, hardware and software developers, and other vendors.
