The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements created to ensure that companies that store and process credit card information maintain a safe environment and protect the data they are entrusted with. The PCI DSS is managed and administered by the PCI Security Standards Council (PCI SSC). This independent body was launched in September 2006 to improve account security by American Express, Discover, JCB, MasterCard, and Visa.
History of PCI DSS
The PCI Standards Council develops and asserts PCI compliance standards, which apply to merchant processing and outline requirements for encrypted internet transactions. There are still other key entities associated with setting the standard practices in the credit card industry, such as the National Automated Clearing House (NACHA) and The Card Association Network.
Oversight of credit card processing
Credit card processing falls under consumer protection, it is the Federal Trade Commission (FTC) that is responsible for its oversight. And while there is no proper regulatory mandate to enforce the PCI, court precedent has made its compliance mandatory.
PCI Compliance Standards
PCI Standard Practices
PCI compliance standards’ primary goal is to ensure that cardholders’ financial account information remains safe and reduces the likelihood of theft, fraudulent use, or identity fraud. This is done by placing requirements on merchants and businesses to handle such information in the most secure manner possible.
Payment Card Industry Data Security Standards (PCI DSS)
To be ‘PCI compliant’ is to adhere to the set of guidelines put forth by the PCI Standards Council – these are known as the Payment Card Industry Data Security Standards (PCI DSS). They outline six primary objectives and are divided into 12 essential requirements, subdivided into 78 more base requirements, and ensured through the implementation of over 400 test procedures.
Strategies for PCI DSS compliance
The three main strategies for PCI DSS compliance are:
-
Ensuring that sensitive financial information is collected and transmitted as securely as possible by handling the ingress of credit card data from customers procedurally.
-
Making efforts in the secure storing of said data (examples are outlined through the 12 domains of the PCI standard, which include ongoing monitoring, encryption, and security testing of access to card data).
-
Consistent annual tests to ensure that the required security controls are in place and efficient. They are laid out as third-party audits, questionnaires, forms, and external vulnerability scanning services.
Handling Data
Depending on business models, some companies won’t need to handle sensitive credit card data directly, while others will. Such companies may need to adhere to more than 300+ security controls in PCI DSS. Even if the data is only traversing the company’s servers for a short amount of time, it is still required to implement and maintain an up-to-date security infrastructure (including software and hardware).
Storing Data
Any organization that handles or stores credit card data will need to define its cardholder data environment (CDE). The PCI DSS defines the CDE as “the people, processes, and technologies that store, process, or transmit credit card data—or any system connected to it.” The key is to properly segment the business environment to limit the scope of PCI validation to the payment environment only. This is important considering that all 300+ of the PCI DSS security requirements apply to the CDE.
If the organization doesn’t properly use granular segmentation to contain the CDE’s scope, these security controls would have to apply to every device, laptop, and system in the entire corporate network… Which sounds like a lot more work, time, and resources.
Annual Validation
Regardless of the efforts put into accepting, transmitting, or handling credit card data, companies must undergo annual PCI validations. Several factors will decide whether PCI compliance is validated.