Launched on September 7, 2006, The Payment Card Industry Data Security Standard or (PCI DSS) is a set of regulations that ensure that all businesses that process, store, or transmit credit card information, retain a secure environment.
The PCI Security Standards Council (PCI SSC), an independent body that was established by Visa, Discover, Mastercard, American Express, and JCB, manages the PCI DSS. It is the acquirers and payment brands that enforce compliance.
How Does The PCI SSC Assist In Ensuring Compliance?
In order to improve payment card information security, the PCI SSC offers comprehensive standards as well as supporting materials that comprise tools, measurements, specification frameworks, and other support resources to uphold the security of all sensitive cardholder data.
The PCI DSS is the foundation of the council as it offers the essential framework for building a complete payment card data security system that includes prevention, detection, and suitable reaction to security incidents.
Here are just some of the tools and resources offered by the PCI SSC:
1. Self-Assessment Questionnaires: To validate an organization’s PCI DSS compliance.
2. PIN Transaction Security (PTS) requirements for device vendors and manufacturers. There is also a list of approved PIN transaction devices.
3. Payment Application Data Security Standard (PA-DSS). Also, a list of Validated Payment Applications to assist software vendors in developing secure payment applications.
4. Lists of Qualified Security Assessors (QSAs)
5. Payment Application Qualified Security Assessors (PA-QSAs)
The Requirements For PCI DSS Compliance
In order to ensure PCI DSS compliance, here are 12 of the requirements that businesses must implement in their business:
1. Using and maintaining firewalls
Firewalls are used as the first line of defense to block unauthorized access to private data.
2. Suitable password protections
Most point-of-sale (POS) systems, modems, and routers come with standard security measures and passwords that can be easily obtained by the public. Most businesses fail to protect these vulnerabilities. Very basic precautions should be taken, such as changing the password.
3. Safeguard cardholder information
There needs to be two-fold protection of all cardholder information. This data needs to be encrypted by using certain algorithms. The encryptions that are used need to be implemented with encryption keys. In order to ensure that no unencrypted data exists, there needs to be regular scanning and maintenance of primary account numbers (PAN).
4. Transmitted data must be encrypted
All cardholder data must be encrypted when it is sent to known locations, such as payment processors. Account numbers should never be sent to unknown locations.
5. Install anti-virus software
All devices that interact with or store PAN should have anti-virus software installed. It should also be patched and updated regularly. Where it cannot be installed directly, your POS provider should apply anti-virus measures.
6. Regularly updated software
It is always good practice to update every software employed in a business. This is especially true for firewalls and anti-virus software. For any recently discovered vulnerabilities, patches that are included in most software products can be used to add another layer of protection. Updates are required for all software devices that interact with or even store cardholder data.
7. Limit data access
All cardholder information should be “need to know.” In other words, staff, third parties, and even executives who don’t need access to this information should simply not have it. Only those that need the data should be properly documented and updated regularly.
8. Have unique IDs for access
For those individuals who do have access to cardholder data, they should have individual credentials as well as proper identification for access. For example, there should not be just one login to the encrypted data, where numerous employees know both the username and password. By having unique IDs, there is less vulnerability and a quicker response time, should there be any data compromised.
9. Regulate physical access
All cardholder data must be kept in a secure location. Data that is physically written or typed and digitally kept should be locked in a secure room, cabinet, or drawer. Access should be limited, however, if it is accessed, it must be kept in a log to remain compliant.
10. Set up and maintain an access log
Any activity that deals with cardholder data and primary account numbers (PAN) requires a log entry. There needs to be proper record keeping and documentation when it comes down to accessing any type of sensitive information. The documentation should include the number of times access to this information is needed.
11. Scan and test for any vulnerabilities
Software products can go out of date, malfunction, or “suffer” from any type of human error. These threats can be mitigated by having regular scans and vulnerability testing.
12. Documentation policies
To maintain compliance, the inventory of equipment and software will need to be documented. This includes the logs for accessing cardholder data. How all information comes into the company, where it is stored, and how it is used after the point of sale will also need to be properly documented.
The Advantages Of Compliance
Although having to comply with PCI Security Standards may seem like a tall order, it is not impossible. When the right tools are used to carry out these compliance requirements, businesses will reap the benefits. Here are just some:
- By having PCI Compliance, all your systems will be secure. This means your customers will trust you with their sensitive card information. With trust comes customer confidence, which means repeat business.
- Your business is about forming long-term, trustworthy partnerships. PCI Compliance improves your reputation with payment providers and acquirers.
- As you meet PCI Compliance, you will also be satisfying additional regulations, including HIPAA, SOX, and others.
PCI-DSS Aims To Secure Cardholder Data
The PCI has established a comprehensive set of rules to carry out the vital task of protecting sensitive cardholder information. However, it is not a “set it and forget it” type of implementation. Businesses must be vigilant and must take the time to assess, rectify, and report their processes to eradicate any vulnerabilities found.