Payment Card Industry Data Security Standard [PCI DSS] | Enea Romania | 0LOVES1


We're not saying it's gonna be easy.
But we promise it's not gonna be boring.

We pride in providing new challenges all the time for our creative, rebellious engineers. This is the kind of place where we want to change the world with the right lines of code. Insane passion, curiosity and thirst for breaking barriers and rules feel like home here at Enea.

Would you feel like home?

Payment Card Industry Data Security Standard [PCI DSS]


What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle credit cards and it is managed by the PCI SSC (, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB). It was launched on September 7, 2006 to administer the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving the overall payment security throughout the entire process with the final goal of reducing credit card fraud.

Basically, the Payment Card Industry Data Security Standard is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.

To whom does the PCI DSS apply?

The PCI DSS applies to any organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. All business that store, process or transmit payment cardholder data must be PCI Compliant.

PCI is not a law. The standard was created by the aforementioned major card brands. Merchants that do not comply with PCI DSS may be subject to fines, forensic audits, reputational damage, etc., in case a breach event will occur. Complying with the PCI DSS will minimize the risk of any costly consequences.

The current PCI DSS documents can be found on the PCI Security Standards Council website.

What are the requirements for PCI DSS Compliance?

1. Use and Maintain Firewalls

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. These prevention systems are often the first line of defense against hackers. Firewalls are required for PCI DSS compliance because they can prevent unauthorized access.

2. Proper Password Protections

Various systems and products often come with default passwords and security measures easily accessed by the public. Ensuring compliance in this area includes keeping a list of all devices and software which require a password or other authentication mechanism alongside basic precautions, such as changing the password often.

3. Protect Cardholder Data

The third requirement of PCI DSS compliance specifies that card data must be encrypted with certain algorithms. Regular maintenance and scanning is required in order to ensure that no unencrypted data exists.

4. Encrypt Transmitted Data

Cardholder data is sent via various channels (i.e., payment processors, home office from local stores, etc.). This data must be encrypted at all times when being sent to these known locations. Never send anything to unknown locations.

5. Use and Maintain Anti-Virus

Installing anti-virus software is a good general security practice. In this case, anti-virus software is required for all devices that interact with or store credit card information. This software should be often kept up-to-date.

6. Properly Updated Software

Keep each software up-to-date. Most software product updates will include patches to address recently discovered vulnerabilities. If these are not addressed, then the consequences can be very damaging.

7. Restrict Data Access

The access to sensitive data must be provided on a “need to know” basis. All staff who do not need access to this data should not have it. The roles that do need sensitive data access should be documented and updated.

8. Unique IDs for Access

Employees who have access to cardholder data should have unique individual credentials and for access. Do not ask the staff to use all the same pair of credentials.

9. Restrict Physical Access

Any cardholder data must be physically stored in a secure location. Both data that is physically written or digitally stored should be locked in a secure room. Limit the access and keep an access log history in order to remain compliant.

10. Create and Maintain Access Logs

All activity related to the cardholder data must be logged. The organizations have to document the data flows and have a record of the number of times this data was accessed.

11. Scan and Test for Vulnerabilities

Perform regular vulnerability scans and penetration testing.

12. Document Policies

Maintain an inventory of equipment, software, and employees that have access to the sensitive data. Moreover, it is important to mention how information flows into your organization, where it is stored, and how it is used.

What are the benefits of PCI Compliance?

After reading all of the above principles, one might believe that complying with PCI Security Standards seems difficult. However, compliance is becoming more important and may not be as difficult as one might assume.

PCI Compliance means that the organization is secure, and customers can trust it with their sensitive payment card information. It highly improves the reputation of any organization. PCI Compliance is a continuous process that helps in preventing security breaches and payment card data theft. This means that you are basically contributing to a global payment card data security solution.

Stay safe!

Related reads



Leave a Reply

Your email address will not be published. Required fields are marked *