The Payment Card Industry Data Security Standard (PCI DSS)
In an increasingly hyper-connected global economy, where the majority of commerce now revolves around digital transactions, the rise in card-based payments has also seen a threatening rise in cyber-attacks stealing financial data. The Payment Card Industry Data Security Standard (PCI DSS) is a strong first line of defence against these attacks.
PCI DSS demonstrates a globally accepted framework to protect cardholder data through all channels, whether the transaction is with merchants, payment processors, banks, e-commerce providers of cloud-based fintech ecosystems. This article will present PCI DSS in significant detail including its history, its requirements, levels of compliance, what types of data is it protecting and how Intelation—a privacy first data privacy platform—automates and enhances PCI DSS compliance with features such as encryption, privacy enhancing technologies (PETs), audit trail software and role-based access control.
What is PCI DSS?
A series of security standards
The PCI Data Security Standard, also known as PCI DSS, is established by the PCI Security Standards Council (PCI SSC) in 2006 for the purpose of ensuring that all organizations that store, process, or transmit credit card information maintain a secure environment.
- Created by major card networks - Visa, Mastercard, American Express, JCB, and Discover
- Global standard for securing payment card data
- Established in 2006 by the PCI Security Standards Council
PCI DSS applies to
Any organization that handles payment card data must comply with PCI DSS requirements.
- Retailers (both online and brick-and-mortar)
- Fintech apps and platforms
- Payment gateways and processors
- Financial institutions
- Any entity that holds cardholder data
Risks of Non-compliance
The PCI DSS has been structured to lower the risk of data breaches, identity theft, and fraud. Compliance is much more than avoiding fines—much greater risks are posed to customers, your brand, and your overall business continuity.
Non-compliance could cause:
- Loss of ability to process payments
- Fines from card networks to regulatory fines
- Data breach lawsuits and reputation recovery
- Challenge of forensic audits and recovery fees
PCI DSS: 12 Core Requirements
PCI DSS V4.0 defined 12 core security requirements under 6 objectives:
Requirements:
- Requirement 1: Install and maintain a secure configuration firewall.
- Requirement 2: Do not use vendor-supplied default passwords for systems.
Requirements:
- Requirement 3: Protect stored cardholder data by using encryption and data masking solutions.
- Requirement 4: Encrypt the transmission of CHD across open/public networks.
Requirements:
- Requirement 5: Use and regularly update antivirus software.
- Requirement 6: Develop and maintain secure systems and applications.
Requirements:
- Requirement 7: Restrict access to cardholder data on a need-to-know basis.
- Requirement 8: Assign each person with computer access a unique ID.
- Requirement 9: Restrict physical access to cardholder data.
Requirements:
- Requirement 10: Track and monitor all access to network resources and CHD through a data audit trail.
- Requirement 11: Regularly test security systems and processes.
Requirements:
- Requirement 12: Maintain a policy that addresses the security of information for employees and contractors.
Which Cardholder Data should be protected?
The PCI DSS requires protection for the following:
- Primary Account Number (PAN)
- Cardholder name
- Expiration date
- Service code
- Full magnetic stripe data
- CVV2/CVC2 (Card Verification Value)
- PINs and encrypted PIN blocks
Note: SAD should never be stored after authorization, even if encrypted.