What is the Payment Card Industry (PCI) Data Security Standard (DSS)?
The PCI Data Security Standard is a common set of industry tools and measurements to help ensure the safe handling of sensitive cardholder information. Initially created by aligning Visa’s Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard’s Site Data Protection (SDP) program, the standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents.
Why does PCI-DSS exist?
As data compromise becomes ever more sophisticated, it becomes ever more difficult for an individual merchant to stay ahead of the threats. The PCI Security Standards Council is constantly working to monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals. When you stay compliant, you are part of the solution – a united, global response to fighting payment card data compromise.
Does it apply to me?
PCI DSS applies to you if you are involved in storing, processing or transmitting any cardholder data. What’s more, the standard doesn’t just apply to storing data electronically; it also covers manual processing and storage. Whether you conduct a few payment processes or millions of transactions every year, you will belong to one of four merchant levels:
Level One
Any merchant processing over 6 million Visa or MasterCard transactions per year. Or who has suffered an attack that resulted in an account data compromise. Or who have been identified as Level 1 Independent Qualified Security Assessor or Internal Audit signed by Company Officer.
Level Two
Any merchant processing one to six million Visa or MasterCard transactions per year.
Level Three
Any merchant processing 20,000 to one million Visa or MasterCard e-commerce transactions per year.
Level Four
Any merchant processing fewer than 20,000 Visa or MasterCard transactions per year. Or all other merchants processing up to one million Visa or MasterCard transactions a year.
Why do I need to be compliant?
Compliance with PCI DSS means that your systems are secure, and customers can trust you with their sensitive payment card information. Compliance improves your reputation with acquirers and payment brands the partners you need in order to do business. According to payment brand rules, all merchants and their service providers are required to comply with the PCI Data Security Standard in its entirety.
What happens if I am not compliant?
Compromised data negatively affects consumers, merchants, and financial institutions Just one incident can severely damage your reputation and your ability to conduct business effectively, far into the future. Account data breaches can lead to catastrophic loss of sales, relationships and standing in your community, and depressed share price if yours is a public company. Possible negative consequences also include Lawsuits, Insurance claims, Payment card issuer fines and Government fines.
Do I just need to become complaint once?
Compliance is an on-going process, not a one-time event. It helps prevent security breaches and theft of payment card data, not just today, but in the future.
What do I need to do to become compliant?
It’s a matter of following the 12 requirements in the standard, working with your acquiring bank and using the tools offered through the Council. Remember that PCI DSS compliance is an on-going process, not a one-time event. You’ll need to continuously assess your operations, fix any vulnerabilities that are identified, and make the required reports to the acquiring bank and card brands you do business with.
What are the Requirements?
It’s important to know the standards, as you may be storing cardholder information (e.g. receipts from terminals or emails that have cardholder details in them) in a way that the standard does not allow. The standard is broken down into six logical sections:
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protect stored cardholder data*.
4. Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
5. Use and regularly update antivirus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors.
*To qualify for PCI compliance, Level 4 Clients (those with fewer than 20k transactions a year) will need to fill out their own Self Assessment Questionnaire.
What is PA DSS?
In order to tackle ever-growing concerns relating to card data security, the PCI Council has developed standards for users of payment applications that process sensitive authentication data. The Payment Application Data
Security Standard (PA DSS) is largely based on Visa’s Payment Application Best Practices (PABP) program. In order for all merchants to conform to these standards, the PCI has set dates for compliance.
Effective from July 1st 2010 acquirers must ensure that all new merchant implementations only use PA DSS compliant applications. Effective from December 31st 2012 acquirers must ensure that all merchants using payment applications must either be fully PCI DSS compliant or using a PA DSS compliant application.
Installing a PA DSS compliant application will assist merchants in achieving PCI DSS certification. In order to fully comply with the PA DSS clients must still maintain several areas of the storage and processing procedure.
Where do I start?
A good place to start is to identify where cardholder data exists on your network. In most cases it is not just the point of sale. In order to make compliance as easy as possible you should look to reduce the size of your card data environment, as every point on your network that touches cardholder data, needs to be protected and managed. Therefore, reducing your card data environment will reduce the time, effort and cost to get compliant.
PXP Financial
The End-to-end payment platform
PXP Financial provides a single unified payments platform to accept payments online, on mobile and at the point of sale. Powered by inhouse global acquiring, 200+ alternative payment methods & financial services, PXP processes over EUR 16 billion annually through our unified gateway.
Whatever your business needs today or tomorrow, PXP Financials’ innovative payment platform will support your business growth with all the payment services you will ever need from one source, wherever your business takes you.
