What is PCI-DSS ?
PCI-DSS Stands for Payment Card Industry Data Security Standard, PCI DSS is a standard that all organizations, including online retailers, must follow when storing, processing and transmitting their customer's credit or debit card data.
History:
There had been different data security programs run by Visa, Master Card, American Express, Discover, JCB. The intentions of each were roughly similar to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process, and transmit cardholder data. To cater out the interoperability problems among the existing standards, the combined effort made by the principal credit card organizations resulted in the release of version 1.0 of PCI DSS in December 2004. PCI DSS has been implemented and followed across the globe.
MasterCard, American Express, Visa, JCB International & Discover Financial Services aligned their individual policies to create PCI-DSS and established the PCI-SSC in September 2006 as an administration/governing entity which mandates the evolution and development of PCI DSS. First Version of PCI-DSS was released on December 15,2004, Latest version is 3.2.1 released in May 2018.
Who needs to be PCI-DSS Compliant ?
The PCI DSS applies to any merchant or service provider that handles, processes, stores or transmits Credit Card or Debit Card data.
a. Merchant :
For merchants, the PCI Security Standards Council has provided on-your-honor compliance validation tools in the form of Self Assessment Questionnaires (SAQ's). There are four SAQ's: A, B, C and D. The SAQ's were designed to accommodate both different business types, i.e. restaurant/ecommerce, and different business processing methods, i.e. merchant does/does not handle, process or store Credit Card and Debit Card data. Larger merchants who are processing millions of transactions per year are required to have an onsite audit conducted by a Qualified Security Assessor (QSA).
Here are two examples of how a merchant would choose a particular SAQ:
If an ecommerce merchant accepts Credit/Debit card payment via their website and then stores the Credit/ Debit card information for future purchases, they would be required to fill out the SAQ D, or the long form as it's known, because they are handling, processing and storing Credit/Debit card data. SAQ D includes the full ~250 controls in the PCI DSS Standard and requires the greatest amount of time, energy and money.
Conversely, if an ecommerce merchant only accepts Credit/ Debit card payment via their website and does not handle, process and store Credit/Debit card data by using an API or a hosted page, the merchant can qualify for the SAQ A, the shortest of the four. It includes roughly 20 controls and can be completed very quickly. In addition to this SAQ, sometimes processors and QSA's / processors or QSA's will also require that the merchant sign up for a scanning service of outward facing IP addresses - even though there is no Credit/Debit Card data present to be stolen.
It is important to note in this second example that if this merchant accepts Credit/Debit Card payments over the phone, in addition to the website, they will no longer qualify for short form SAQ A because they are now processing, transmitting and potentially storing Credit/ Debit Card data in their environment. They will instead be required to fill out the SAQ C.
b. Service Providers :
Like merchants, any business that processes, handles or stores Credit/Debit Card data on behalf of a merchant is required to be PCI DSS Compliant. Visa maintains a list of Global PCI DSS Validated Service Providers on their website. Merchants are required to make sure their provider has been validated as PCI DSS Compliant. Achieving the Level 1 compliance requires an onsite audit by a Qualified Security Assessor.
Goals and Requirements of PCI-DSS that needs to be meet by Merchants and Service Providers:
| Goals | PCI-DSS Requirements |
|---|---|
| Build and Maintain a Secure Network | Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters |
| Protect Cardholder Data | Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks |
| Maintain a Vulnerability Management Program | Use and regularly update anti-virus software or program Develop and maintain secure systems and applications |
| Implement Strong Access Control Measures | Restrict access to cardholder data by business need to know Assign a unique ID to each person with computer access Restrict physical access to cardholder data |
| Regular Monitor and Test Networks | Track and monitor all access to network resources and cardholder data Regularly test security systems and processes |
| Maintain an Information Security Policy | Maintain a policy that addresses information security for all personnel |
Benefits of PCI-DSS :
- Reduces the Risk of a Data Breach
- Helps to Avoid Fines
- Protects Customers
- Improves Brand Reputation
- Imparts a Mindset of Security
- Serves as a Globally Accepted Standard
We TUV India Pvt Ltd (TUV NORD GROUP) provide complete support on PCI-DSS assessment through our Highly Qualified, Competent and Industry experienced QSA (Qualified Security Assessor, designation conferred by the PCI Security Standards Council)
About The Author
TUV India Pvt Ltd
TUV NORD GROUP
certificationindia@tuv-nord.com