Every business accepting payments with credit and debit cards have heard of PCI DSS, even if they don’t fully understand what it is as well as the implications of being PCI compliant. Whether you are a large company processing thousands of transactions on a daily basis or just a small e-commerce website, being compliant with the PCI DSS requirements is a must for card acceptance.
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. It refers to a set of requirements and procedures aimed at optimizing the security of card transactions as well as protecting cardholders’ personal information, thereby reducing the risks of card data theft and fraud.
The standard was created in 2004 as a joint venture by card brands Visa, MasterCard, American Express, Discover and JCB. The brands are also the founders of the PCI Security Standards Council, described in their own words as “a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security.” The Council maintains, evolves, and promotes the PCI DSS and provides tools needed for implementing the standard such as assessment and scanning qualifications or self-assessment questionnaires. Although the Council owns and maintains the standard, it is up to the issuing bank or card acquirers to enforce the rules and apply the penalties for any data breach.
It is worth noting that the PCI DSS applies to all businesses that store, process and/or transmit cardholder data. In order to have a certificate of PCI compliance, all merchants are required to demonstrate that sufficient systems and processes are in place to effectively secure customer credit card information, regardless of the business size.
What are the PCI DSS Requirements?
The Payment Card Industry Data Security Standard comprised twelve requirements grouped into six major goals. See below:
|Build and maintain a secure network in which transactions can be conducted||1. Use of a firewall robust enough to be effective without causing too much inconvenience to cardholders or vendors
2. Do not use authentication data, such as PINs and passwords, supplied by default by vendors
|Cardholder information must be protected||3. Protect stored cardholder information, such as birth dates, ID numbers, phone numbers and mailing addresses
4. Encrypt cardholder data when transmitting through public networks
|Keep systems protected against hackers||5. Use a frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions
6. Develop and maintain secure systems and applications
|Implement strict access control measures||7. Restrict access to cardholder data by business need-to-know (role-based access control)
8. Assign a unique and confidential identification name or number to every person who uses a computer in the system
9. Protect card holder data electronically as well as physically
|Frequently test and monitor the network||10. Track and monitor all access
11. Regularly test security systems and processes
|Have a formal information security policy||12. Define a security policy to be maintained and followed at all times and by all participating entities|
When followed correctly, the PCI DSS significantly reduces the risks of data breach. It is crucial for every e-commerce business looking for a payment gateway or payment processor to verify if the provider is PCI DSS certified. PagBrasil, for instance, is PCI DSS Level 1, version 3.2, certified by Trustwave. This is the highest security standard in the payment industry and the version 3.2 is the most recent one, introduced earlier this year. Merchants and payment providers have until 2018 to adapt to the new requirements of this version, but PagBrasil’s system already fully compliant with all of them.
Thanks for helping me understand PCI DSS a bit more. I didn’t know that this standard was created back in 2004 by different card brands. I’m kind of interested to learn a bit more about how this standard has changed over the years, or how often it is updated.