What is PCI DSS?
The PCI DSS is a comprehensive set of requirements for enhancing cardholder data security around the storage and handling of customer credit card information/data.
Developed by the founding payment brands MasterCard Worldwide, Visa International, American Express, Discover Financial Services and JCB. The standard was developed to help facilitate the broad adoption of consistent data security measures on a global basis. The five founding members jointly formed an independent regulatory organisation called the PCI Security Standards Council (PCI SSC) to promulgate the Standard. The PCI DSS reflects an agreed position on the combination of each of the credit card brands’ security standards.
PCI DSS covers systems, policies and procedures around:
- Building and maintaining a secure network
- Protecting cardholder data
- Maintaining a vulnerability management programme
- Implementation of Strong Access Control Measures
- Regularly monitoring and testing of networks
- Maintaining an Information Security Policy
Who needs to comply?
Any merchant, acquirer and issuer bank, and service provider that processes, stores or transmits credit or debit card data, and any connected party to them.
Does PCI DSS apply to you?
- Do you process credit card transactions?
- Do you store credit card information? (paper or electronically)
- Do you take online credit card payments?
- Do you handle credit card information on paper, online, over the phone or via mail?
If you answered yes to any of the above questions PCI DSS applies to you.
Why is PCI DSS important?
- To manage risk
- Losses due to fraud
- Negative publicity
- Loss of consumer confidence
- Threat of enforced regulation
- To protect consumer data
Credit card fraud and identity theft are rampant across the globe and affecting millions of consumers and businesses everyday. The media is filled with stories of credit card information breaches and payment card industry have determined a need for a concerted and comprehensive response. The development of the PCI DSS is a critical step in this direction. The standard continues to be strengthened and refined through the joint efforts of PCI SSC, the credit card brands, acquirers and covered parties alike.
Why comply with PCI DSS?
- To manage your risk
- To protect your customer data
- To stay competitive in the market
- To avoid punitive measures
- Potentially significant fines – incrementally increases
- To stay in business
However as with all compliance regimes, it is imperative that sufficient robust discussion occurs for business reasons for compliance to be well understood.
Key Definitions
Acquirer
Also known as merchant bank. Is the bank that is the initial point of merchant transactions.
ASV (Approved Scanning Vendors)
Performs quarterly external network scans.
Card Brands
Visa, MasterCard, American Express, Discover and JCB. They provide authorisation and clearing/settlement services, establish operating rules and regulations, and issue cards and acquire transaction through third parties.
Cardholder
The customer, the consumer, the person that uses the card.
Compliance Validation
Specific steps required to verify and show evidence of any entity’s status with regard to compliance.
Issuer
Is the bank that issues the credit card used in the particular transaction.
Merchant
Any entity that sells goods or services involving any credit card transactions.
QSA (Qualified Security Assessors)
Provides support and guidance on the compliance process. Defines the scope and advises on readiness for audit. Conducts comprehensive PCI DSS assessments. Evaluate compensating controls. Produces compliance reporting.
SAQ (Self Assessment Questionnaire)
Required document to be completed by all entities below level 1 to validate compliance.
Service Provider
Business entity directly involved in the processing, storage, transmission, and switching of transaction data or cardholder data. Provides services to merchants, services providers or other parties that impact the security of cardholder data.
