The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle credit cards and it is managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB). It was launched on September 7, 2006 to administer the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving the overall payment security throughout the entire process with the final goal of reducing credit card fraud.
Basically, the Payment Card Industry Data Security Standard is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.
The PCI DSS applies to any organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. All business that store, process or transmit payment cardholder data must be PCI Compliant.
PCI is not a law. The standard was created by the aforementioned major card brands. Merchants that do not comply with PCI DSS may be subject to fines, forensic audits, reputational damage, etc., in case a breach event will occur. Complying with the PCI DSS will minimize the risk of any costly consequences.
The current PCI DSS documents can be found on the PCI Security Standards Council website.
1. Use and Maintain Firewalls
A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. These prevention systems are often the first line of defense against hackers. Firewalls are required for PCI DSS compliance because they can prevent unauthorized access.
2. Proper Password Protections
Various systems and products often come with default passwords and security measures easily accessed by the public. Ensuring compliance in this area includes keeping a list of all devices and software which require a password or other authentication mechanism alongside basic precautions, such as changing the password often.
3. Protect Cardholder Data
The third requirement of PCI DSS compliance specifies that card data must be encrypted with certain algorithms. Regular maintenance and scanning is required in order to ensure that no unencrypted data exists.
4. Encrypt Transmitted Data
Cardholder data is sent via various channels (i.e., payment processors, home office from local stores, etc.). This data must be encrypted at all times when being sent to these known locations. Never send anything to unknown locations.
5. Use and Maintain Anti-Virus
Installing anti-virus software is a good general security practice. In this case, anti-virus software is required for all devices that interact with or store credit card information. This software should be often kept up-to-date.
6. Properly Updated Software
Keep each software up-to-date. Most software product updates will include patches to address recently discovered vulnerabilities. If these are not addressed, then the consequences can be very damaging.
7. Restrict Data Access
The access to sensitive data must be provided on a “need to know” basis. All staff who do not need access to this data should not have it. The roles that do need sensitive data access should be documented and updated.
8. Unique IDs for Access
Employees who have access to cardholder data should have unique individual credentials and for access. Do not ask the staff to use all the same pair of credentials.
9. Restrict Physical Access
Any cardholder data must be physically stored in a secure location. Both data that is physically written or digitally stored should be locked in a secure room. Limit the access and keep an access log history in order to remain compliant.
10. Create and Maintain Access Logs
All activity related to the cardholder data must be logged. The organizations have to document the data flows and have a record of the number of times this data was accessed.
11. Scan and Test for Vulnerabilities
Perform regular vulnerability scans and penetration testing.
12. Document Policies
Maintain an inventory of equipment, software, and employees that have access to the sensitive data. Moreover, it is important to mention how information flows into your organization, where it is stored, and how it is used.
After reading all of the above principles, one might believe that complying with PCI Security Standards seems difficult. However, compliance is becoming more important and may not be as difficult as one might assume.
PCI Compliance means that the organization is secure, and customers can trust it with their sensitive payment card information. It highly improves the reputation of any organization. PCI Compliance is a continuous process that helps in preventing security breaches and payment card data theft. This means that you are basically contributing to a global payment card data security solution.