What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements to ensure organisations who handle or process card payments maintain a secure environment. It was first introduced in 2004 to help reduce payment card fraud by increasing the security around cardholder data, and give confidence to consumers doing business with a PCI-compliant company that the transaction and their data will be secure.
Following initial attempts to create their own standards, Visa, MasterCard, American Express, Discovers and JCB joined forces to form the Payment Card Industry Security Standards Council (PCI SSC), to own, enforce and develop the PCI DSS standard moving forward.
PCI DSS applies to any organisation that accepts, transmits or stores any cardholder details, with four levels of compliance depending on the annual number of card transactions handled.
Level 4 is the lowest level of compliance for Organisations processing fewer than 20 thousand e-commerce transactions, or 1 million ‘real world’ transactions a year, with Level 1 being the highest level for those businesses handling more than 6 million real world transactions annually.
The level an organisation falls into dictates what actions they must undertake to remain compliant. Businesses at Levels 4 through 2 must perform a yearly self-assessment, completing a Self-Assessment Questionnaire (SAQ). If the PCI feels further investigation or proof is necessary then the organisation could be subject to a quarterly scan by a PCI Approved Scanning Vendor (ASV).
For enterprises in Level 1, they will be audited yearly by an authorised PCI auditor with mandatory PCI scans every quarter.
At a high level, the PCI DSS focuses on 6 key areas of controls broken down into 12 main requirements in order to assess security. As a minimum, to gain PCI DSS compliance a business must:
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Never use vendor-supplied defaults for passwords or other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt cardholder data during transmission across public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data employing a ‘Need-to-know’ principle
8. Assign a Unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors