An Overview of the Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that companies that accept, process, store or transmit credit card information maintain a secure environment. The PCI DSS was created by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. in 2006.
The Goal of PCI DSS
The goal of the PCI DSS is to protect cardholder data. This refers to any information printed, processed, transmitted or stored in relation to a payment card. This includes the primary account number, cardholder name, expiration date and service code. By adhering to the PCI DSS, companies ensure that customer payment card information is properly secured.
Requirements of PCI DSS Compliance
The PCI DSS provides a baseline of technical and operational requirements for protecting cardholder data. It applies to any entity that stores, processes or transmits payment card data. This includes merchants, processors, acquirers, issuers and service providers.
The PCI DSS contains the following six categories of requirements:
1. Build and Maintain a Secure Network
This section covers requirements for firewalls, router configuration and overall network security. Companies must restrict traffic only to trusted networks and PCI DSS-compliant services.
2. Protect Cardholder Data
These requirements outline the proper handling of cardholder data. This includes encryption, storage, transmission and display of primary account numbers and other sensitive data.
3. Maintain a Vulnerability Management Program
Here, companies must protect systems against malware and regularly update antivirus software. They must also develop and maintain secure systems and applications.
4. Implement Strong Access Control Measures
Requirements cover assigning unique IDs, restricting access to cardholder data and tracking access with audit trails. Multifactor authentication is required for remote access.
5. Regularly Monitor and Test Networks
Companies must track and monitor access to networks and cardholder data. They must run vulnerability scans and penetration tests and regularly test security systems.
6. Maintain an Information Security Policy
This states that companies must maintain policies for data security, including security employee training and testing, service provider oversight and more.
Benefits of PCI DSS Compliance
While meeting all PCI DSS requirements involves some investment of time and resources, it comes with significant benefits. These include:
– Preventing costly data breaches that can lead to fines, lawsuits and reputational damage
– Meeting the PCI compliance standards required by the major credit card brands
– Building customer trust by demonstrating a commitment to protecting sensitive information
– Reducing risk of experiencing a breach and having to undergo costly incident response
Overall, the PCI DSS provides a comprehensive data security framework that helps companies safely handle customer payment information. By making data security central to everyday operations, businesses can avoid major compliance failures down the road.
Validating PCI DSS Compliance
Companies must validate that they meet PCI DSS requirements on an annual basis. There are four levels of merchant validation, based on the volume of transactions processed annually.
Merchants processing over 6 million Visa transactions per year or 2.5 million Mastercard transactions. These companies must undergo annual onsite PCI DSS assessments by a Qualified Security Assessor (QSA).
Merchants processing 1 million to 6 million Visa transactions or 50,000 to 2.5 million Mastercard transactions annually. These merchants can complete self-assessments using the PCI DSS Self-Assessment Questionnaire (SAQ) and must have quarterly network scans by an Approved Scan Vendor (ASV).
This includes companies processing 20,000 to 1 million Visa e-commerce transactions or merchants processing 50,000 to 1 million Visa transactions of any kind per year. They must fill out the SAQ annually and undergo quarterly network scans by an ASV.
Smaller merchants processing less than 20,000 Visa e-commerce transactions or up to 1 million Visa transactions of any kind annually. These companies can complete an annual SAQ and must undergo quarterly network scans by an ASV.
What Happens After a Data Breach?
If a merchant experiences a data breach impacting cardholder data, they must immediately begin incident response processes outlined in the PCI DSS. This includes preserving evidence about how the breach occurred, isolating affected systems and alerting impacted parties.
The merchant must inform their acquiring bank and the card brands. Forensic investigators will analyze the breach to identify the root cause. Depending on the severity of the breach, fines and assessments may be levied against the merchant.
Fines for Noncompliance
Merchants can face substantial fines from card brands for PCI DSS noncompliance. For example, Visa charges merchants $5,000 to $25,000 per month for Level 1-3 noncompliance.
For particularly severe PCI DSS failures resulting in account data compromise, fines can reach $100,000 per month until resolved. Mastercard and other brands have similar fines.
Data Breach Fines
If a breach occurs, additional fines from the card brands can include:
– $25,000 to $100,000 per month for PCI compliance violations
– $5,000 to $25,000 per month for reporting delays
– $10,000 to $25,000 per card brand for excessive fraud levels
Card companies may also force noncompliant entities to undergo forensic audits and take other corrective measures.
Implementing a PCI DSS Compliance Program
Becoming PCI compliant requires an ongoing program, not just a one-time checklist. Key elements include:
– Assembling a cross-functional PCI compliance team.
– Documenting all systems, data flows and processes related to cardholder data.
– Identifying any gaps between the current environment and PCI requirements.
– Prioritizing remediation of gaps and apply PCI DSS controls.
– Developing policies, procedures and training programs to maintain compliance.
– Conducting tests, scans and audits to validate compliance.
– Maintaining compliance as systems, regulations and threats evolve.
With the right stakeholders, commitment and assessment process in place, companies can effectively implement and monitor PCI DSS compliance over the long term. This protects customer payment data and avoids consequences of a breach.