What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of mandates for organizations that deal with payment information. This mandate is supervised by the Payment Card Industry Security Standards Council (PCI SSC). Its objective is to control fraud happening in the payment processing industry and combat the malicious use of cardholder data, such as the payment account number, cardholder name, expiration date, and service code. By staying PCI compliant, businesses can prevent, detect, and remediate threats to cardholder data.
Who needs to be PCI DSS-compliant?
All the entities that access, process, store, and transfer cardholder data are required to be PCI DSS-compliant. A few actors involved in payment card transactions include cardholders, merchants, issuing banks, and card networks.
How does PCI DSS compliance work?
PCI DSS compliance is an ongoing process that requires organizations that fall under its purview to continuously perform audits with the below framework.
AssessOrganizations that store, process, and dispose of card data should locate the data and check for vulnerabilities that can be exploited.
RepairRectify any security vulnerabilities present in the software and hardware systems that hold payment card information.
ReportRecord the methodologies used to detect and amend the vulnerabilities, and share the document with the stakeholders you are collaborating with.
PCI DSS compliance levels
Based on the number of transactions made annually, the compliance levels are categorized under four spectra.
- Level 1: Applies to entities that process over 6 million transactions per year.
- Level 2: Applies to entities that process 1–6 million transactions per year.
- Level 3: Applies to entities that process 20,000–1 million transactions per year.
- Level 4: Applies to entities that process less than 20,000 transactions per year.
PCI compliance requirements
The below objectives are mandated by the PCI SSC to protect payment card data in its entirety.
|01||Build and maintain a secure network and systems||Installation and maintenance of firewalls.|
|02||Change of vendor-supplied system credentials.|
|03||Protect cardholder data||Implement a thorough action plan addressing what to store, its retention period, and the methodologies that will be used for its disposal.|
|04||Encryption of transmitted cardholder data across public networks.|
|05||Maintain a vulnerability management program||Regular antivirus software updates.|
|06||Maintenance of applications and systems within the organizational network.|
|07||Implement strong access control measures||Enforcement of appropriate roles to access cardholder data.|
|08||Issuance of unique user authentication identifiers.|
|09||Monitor privileged users and enforce role-based access control to cardholder data.|
|10||Regularly monitor and test networks||Issuance of unique user authentication identifiers.|
|11||Restriction of physical access to data centers storing cardholder data.|
|12||Maintain an information security policy||Tracking and monitoring of network resources with file integrity monitoring and change detection software.|