Every business accepting payments with credit and debit cards has heard of PCI DSS, even if they don’t fully understand what it is and the implications of being PCI compliant.
Whether you are a large company processing thousands of transactions on a daily basis or just a small e-commerce website, being compliant with the PCI DSS requirements is a must for card acceptance.
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. It refers to a set of requirements and procedures aimed at optimizing the security of card transactions and protecting cardholders’ personal information, thereby reducing the risks of card data theft and fraud.
The standard was created in 2004 as a joint venture by card brands Visa, MasterCard, American Express, Discover, and JCB. The brands are also the founders of the PCI Security Standards Council, described in their own words as “a global open body formed to develop, enhance, disseminate, and assist with the understanding of security standards for payment account security.”
The Council maintains, evolves, and promotes the PCI DSS and provides tools for implementing the standard, such as assessment and scanning qualifications or self-assessment questionnaires. Although the Council owns and maintains the standard, it is up to the issuing bank or card acquirers to enforce the rules and apply the penalties for any data breach. It is worth noting that the PCI DSS applies to all businesses that store, process, and/or transmit cardholder data.
To have a certificate of PCI compliance, all merchants must demonstrate that sufficient systems and processes are in place to effectively secure customer credit card information, regardless of the business size.
What are the PCI DSS Requirements?
The Payment Card Industry Data Security Standard comprised twelve requirements and six major goals. See below:
PCI DSS 12 Requirements Table
| Goal | Requirements |
| Build and maintain a secure network in which transactions can be conducted. |
1. Use a firewall that is strong enough to provide security without causing inconvenience to cardholders or vendors. 2. Do not use default authentication data, such as PINs and passwords provided by vendors.
|
| Cardholder information must be protected. |
3. Store and protect sensitive cardholder data, including birth dates, IDs, phone numbers, and mailing addresses. 4. Encrypt cardholder data when transmitting through public networks.
|
| Keep systems protected against hackers. |
5. Use frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions. 6. Develop and maintain secure systems and applications.
|
| Implement strict access control measures. |
7. Restrict access to cardholder data by business need-to-know (role-based access control). 8. Assign a unique and confidential identification name or number to every person who uses a computer in the system. 9. Protect cardholder data electronically as well as physically.
|
| Frequently test and monitor the network. |
10. Track and monitor all access. 11. Regularly test security systems and processes.
|
| Have a formal information security policy. |
12. Define a security policy to be maintained and followed at all times and by all participating entities.
|
When followed correctly, the PCI DSS significantly reduces the risks of data breaches. It is crucial for every e-commerce business looking for a payment gateway or payment processor to verify if the provider is PCI DSS certified.
Comment
Thanks for helping me understand PCI DSS a bit more. I didn’t know that this standard was created back in 2004 by different card brands. I’m kind of interested to learn a bit more about how this standard has changed over the years, or how often it is updated.