PCI-DSS is Payment Card Industry Data Security Standards. It is self-explanatory as the name suggests, this standards applies to payment card industry.
Financial transactions are subject to risks, whether it is cash or card. For cash transactions, physical security is crucial. For card transactions, data security comes to the fore and physical security goes to the back. The payment card can be credit or Debit. If the payment card's financial and personal data is secured, it will prevent fruadulent transactions.
If the payment card data is not secure:
So, the payment card industry took the self initiative to regulate the card data transaction with data security standards.
Major players of the card data industry Visa, Master Card, American Express, Discover, and JCB formed an alliance in 2006 to create a security standards council for payment card industry. The council formulated the security standards for all the data involved in the payment card transaction. The PCI-DSS compliance applies to all the entities involved in the payment card transaction. The regulation covers small, medium, and big merchants, banks and financial institutions involved in card transactions are governed by PCI-DSS. For software application developers, it is PCI PA-DSS. For POS vendors and hardware manufactures, it is PCI-PTS. Out of these, PCI-DSS is important because it governs large number of entities. These entities are involved in millions of card transactions.
The data thieves look for the card holder and authentication data.
Card holder data
Sensitive authentication data
All those involved in the payment card transaction should ensure the data is secured. To secure the data, PCI-DSS security council has come up with a set of requirements to fulfill.
The PCI-DSS has 12 requirements and testing procedures covering the technical and operational components.
|What to achieve||How to achieve|
|Build and maintain a secure network||
|Protect cardholder data||
|Maintain a vulnerability management program||
Implement strong access control measures
|Regularly monitor and test networks||
|Maintain an information security policy||
It's a three step process to secure the card holder data for any organization.
In this step, identify card holder data, take inventory of IT assets & payment card business process, and analyze for vulnerability.
To assess, there are qualified security assessors. Choose an assessor available nearby. For small merchants and service providers Self Assessment Questionaire (SAQ) is sufficient.
Fix the vulnerability and do not store card holder data unless it is absolutely necessary.
Ensure that the compliance is monitored continuously. Periodic monitoring may have gapping holes for data theft.
Compile and submit the compliance report to the enforcing card brand or bank.
PCI-DSS security council does not enforce compliance. It is only the card brands or the bank.
Firewall Analyzer continuously monitors the network firewall for PCI-DSS compliance. The compliance report can be pulled any time to meet the audit requirements. You can also schedule reports and record them for future references. Refer the PCI-DSS compliance requirements covered by Firewall Analyzer.