What is PCI DSS?

The history of PCI DSS, Payment Card Industry Data Security Standards for short, goes back to 2004, when major credit card companies combined their efforts to create a joint set of security standards for businesses that store, process and transmit cardholder data. 2 years later, in 2006 these major credit card companies, namely MasterCard, American Express, Visa, JCB International and Discover Financial Services together founded PCI SSC (Payment Card Industry Security Standards Council) and gathered these standards under the same roof of PCI DSS. PCI SSC stands as an administrative and governing entity for sensitive cardholder data security standards. PCI DSS is much more than a must-have certification, it is a continuous process that businesses must comply with. While the core aim is to protect the cardholder data and reduce the vulnerability, the standards are periodically updated and new versions are released as new security challenges emerge with advancing technologies. With its current version 3.2.1, PCI DSS celebrates its 16th birthday.

What does PCI DSS do: Businesses and Customers

Although PCI SSC has no legal authority to compel compliance, its established standards -PCI DSS- are required by credit card companies from any business that processes, stores or transmit credit or debit card transactions, so its scope is almost infinite. From small e-commerce businesses to data storage services, any business that handles cardholder information Then the question comes: what is the importance and how it is followed across the globe? As a part of the financial system, the payment industry is built upon trust between the parties. As the complexity increases in online payment systems, the potential risks increase accordingly. At this point, PCI DSS aims to reduce the vulnerability of sensitive information by setting strong security standards and increasing the control.

So, PCI compliance here actually work in two ways for businesses: both ensuring businesses they protect sensitive cardholder information as they account for and showing their potential customers that it is safe to make transactions. For these reasons, being PCI compliant outweighs the effort and time needed for it. Having said that, PCI compliance is not all about financial termsi non-compliance carries huge risks for trustworthiness and business reputation as well.

For example, in the case of a data breach credit card companies may force organizations to stop accepting credit card transactions or charge these businesses higher fees, not to mention several law suits and legal processes due to data leak and such. Even if these sales revenue and profit decreasing consequences were to be handled, the damaged trustworthiness and reputation are likely to remain for longer time periods which eventually decrease transactions and profits even further.

PCI DSS Compliance

Rather than being a certificate, PCI compliance requires organizations to consistently follow the guidelines and requirements set by the PCI SSC. Thus, PCI compliance means continuous adherence that should take place in all business processes. Even if you work with a PCI compliant payment processing firm, which helps to reduce the scope eventually, your organization is still responsible for the cardholder data held and recorded. While the main aim of protecting sensitive cardholder data from fraud, misuse and identity theft, specific requirements for organizations vary with annual transactions.

PCI DSS Requirements

There are 4 levels specified in PCI compliance, starting from level 4 for organizations with under 20K transactions to the level 1 for organizations with transactions exceeding 6 million. Regardless of these levels, there are 12 main requirements for PCI DSS compliance and these requirements fall under the 6 core related groups which helps businesses to ensure security in every aspect of their businesses.

Building and Maintaining a Secure Network & System

First things first, organizations are required to install and maintain a right firewall configuration to effectively protect the cardholder data. Organizations should ensure they don’t use vendor or 3rd party supplied defaults as passwords for any system or security environment.

Protecting Cardholder Data

As the main aim is to keep cardholder data safe and sound, organizations are required to protect the existing stored cardholder data and use encryption for public or open networks.

Continuous Vulnerability Management

To ensure the security of the systems, organizations are responsible for regular usage and updating their anti-virus software and develop their systems/applications securely.

Controlling Access

Organizations should be managing who has access the cardholder information effectively. Organizations are required to restrict the access by business needs and roles, restrict physical access to cardholder data and assign and identify each person with access.

Continuous Monitoring and Testing

Organizations should continuously monitoring and tracking all accesses to their network and especially cardholder data while testing their security systems as well.

Maintaining an Information Security Policy

Organizations should maintain and implement an information security policy across all personnel they work with, including their own employees and 3rd party contractors.

After all, PCI DSS compliance is the most effective step for firms that handle cardholder information for their fully secure environment. Although it is a set of security standards that firms are expected to implement, these standards also help businesses to develop an organization-wide strong and clear security structure.

If you need any help on PCI DSS compliance -on how to start or to remain compliant- our experienced compliance advisory consultants are here to design and implement your roadmap. Please reach out to us, [email protected]