August 24, 2017

What is PCI DSS and What are Its Compliance Requirements?

pci dss

Every business accepting payments with credit and debit cards have heard of PCI DSS, even if they don’t fully understand what it is as well as the implications of being PCI compliant. Whether you are a large company processing thousands of transactions on a daily basis or just a small e-commerce website, being compliant with the PCI DSS requirements is a must for card acceptance.

 

 

What is PCI DSS?

 

PCI DSS stands for Payment Card Industry Data Security Standard. It refers to a set of requirements and procedures aimed at optimizing the security of card transactions as well as protecting cardholders’ personal information, thereby reducing the risks of card data theft and fraud.

 

The standard was created in 2004 as a joint venture by card brands Visa, MasterCard, American Express, Discover and JCB. The brands are also the founders of the PCI Security Standards Council, described in their own words as “a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security.” The Council maintains, evolves, and promotes the PCI DSS and provides tools needed for implementing the standard such as assessment and scanning qualifications or self-assessment questionnaires. Although the Council owns and maintains the standard, it is up to the issuing bank or card acquirers to enforce the rules and apply the penalties for any data breach.

 

It is worth noting that the PCI DSS applies to all businesses that store, process and/or transmit cardholder data. In order to have a certificate of PCI compliance, all merchants are required to demonstrate that sufficient systems and processes are in place to effectively secure customer credit card information, regardless of the business size.

 

 

What are the PCI DSS Requirements?

 

The Payment Card Industry Data Security Standard comprised twelve requirements grouped into six major goals. See below:

 

GoalRequirements
Build and maintain a secure network in which transactions can be conducted1.      Use of a firewall robust enough to be effective without causing too much inconvenience to cardholders or vendors

2.      Do not use authentication data, such as PINs and passwords, supplied by default by vendors

Cardholder information must be protected3.      Protect stored cardholder information, such as birth dates, ID numbers, phone numbers and mailing addresses

4.      Encrypt cardholder data when transmitting through public networks

Keep systems protected against hackers5.      Use a frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions

6.      Develop and maintain secure systems and applications

Implement strict access control measures7.      Restrict access to cardholder data by business need-to-know (role-based access control)

8.      Assign a unique and confidential identification name or number to every person who uses a computer in the system

9.      Protect card holder data electronically as well as physically

Frequently test and monitor the network10.   Track and monitor all access

11.   Regularly test security systems and processes

Have a formal information security policy12.   Define a security policy to be maintained and followed at all times and by all participating entities

 

When followed correctly, the PCI DSS significantly reduces the risks of data breach. It is crucial for every e-commerce business looking for a payment gateway or payment processor to verify if the provider is PCI DSS certified. PagBrasil, for instance, is PCI DSS Level 1, version 3.2, certified by Trustwave. This is the highest security standard in the payment industry and the version 3.2 is the most recent one, introduced earlier this year. Merchants and payment providers have until 2018 to adapt to the new requirements of this version, but PagBrasil’s system already fully compliant with all of them.

/ Written by Bianca Lopez - Follow @biancatlopez

1 Comment

  • Taylor Bishop

    Thanks for helping me understand PCI DSS a bit more. I didn’t know that this standard was created back in 2004 by different card brands. I’m kind of interested to learn a bit more about how this standard has changed over the years, or how often it is updated.

Add a comment