PCI DSS
Payment Card Industry Data Security Standard (PCI DSS) refers to a set of policies and procedures formed in 2004 by Mastercard, Visa, American Express, JCB International, and Discover Financial Services to make sure that maximum credit and debit card security measures against data theft and fraud are maintained.
The compliance scheme is governed by Card Industry Security Standards Council (PCI SSC). Its structure is made up of 12 vital requirements, 6 main objectives, more than 400 test procedures, and 78 base requirements.
PCI Compliance
Payment Card Industry (PCI) compliance is a major component that enables credit card companies to make sure the highest standards of credit card security are maintained. Therefore, companies that follow and adhere to the PCI DSS are considered to be PCI compliant.
PCI DSS Certification
This certification makes sure that the card data security goes through established requirements from the governing board PCI SSC. Some of these requirements include firewall installation, data encryption, data access restriction, and many others.
PCI DSS Requirements
To maintain the highest level of security, the Card Industry Security Standards Council (PCI SSC) has established 12 major requirements for handling cardholder information. The requirements are further divided into six categories based on their objectives. The six broader goals include network monitoring and testing, vulnerability management, access control, secure network, information security, and secure cardholder data.
| Goals | PCI DSS Requirements |
|---|---|
| Build and Maintain a Secure Network and Systems | 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters |
| Protect Cardholder Data | 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks |
| Maintain a Vulnerability Management Program | 5. Protect all systems against malware and regularly update antivirus software or programs 6. Develop and maintain secure systems and applications |
| Implement Strong Access Control Measures | 7. Restrict access to cardholder data by buisiness need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data |
| Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes |
| Maintain an Information Security Policy | 12. Maintain a policy that addresses information security for all personell |
PCI DSS Compliance Levels
PCI Compliance is made up of four levels, based on credit or debit card transactions processed in one business year. Other factors such as risk levels presented by payment brands are also put into consideration. The classification of PCI compliance is relevant in determining what the businesses or individuals need to do in order to be compliant.
Level 1 — Over 6 million annual transactions
Level 2 — Between 1- 6 million annual transactions
Level 3 — Between 20,000 and 1 million annual transactions
Level 4 — Less than 20,000 annual transaction
Note: Different card issuers have different compliance levels.
PCI DSS Benefits
Living in a world where digital transactions are the epitome of the world’s economy, PCI DSS has numerous benefits, both for merchants and customers. Here are some key benefits:
- Customer protection from data breaches and fraud
- Reduces the risks of data breaches
- Cultivates a security-first mindset
- Improves brand reputation
- Creates a baseline for upcoming regulations
Previous article