The Payment Card Industry Data Security Standard (PCI DSS) was created to increase controls around cardholder data to reduce credit card fraud. PCI DSS controls apply to all entities that store, process, or transmit cardholder data and cover both technical and operational system components. Any organization that accepts or processes payment cards must comply with the PCI DSS. Failure to meet the PCI DSS requirements may result in sizable fines or termination of credit card processing privileges.
The Payment Card Industry Security Standards Council administers the PCI DSS. The council's founding members (American Express, Discover Financial Services, JCB International, MasterCard, and Visa) incorporate the PCI DSS as part of the technical requirements for each of their data security compliance programs.
The council maintains, evolves, and promotes the security standards. It also provides tools for implementing the standards such as assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programs.
PCI DSS compliance controls consist of six goals and 12 requirements.
|Build and maintain a secure network.||1. Install and maintain a firewall configuration to protect cardholder data. |
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
|Protect cardholder data.||3. Protect stored cardholder data. |
4. Encrypt transmission of cardholder data across open, public networks.
|Maintain a vulnerability management program.||5. Protect all systems against malware and regularly update antivirus software or programs. |
6. Develop and maintain secure systems and applications.
|Implement strong access control measures.||7. Restrict access to cardholder data by business need to know. |
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
|Regularly monitor and test networks.||10. Track and monitor all access to network resources and cardholder data. |
11. Regularly test security systems and processes.
|Maintain an information security policy.||12. Maintain a policy that addresses information security for all personnel.|
All businesses that accept and process payment cards must comply with PCI DSS controls. PCI DSS controls are broken into four levels based on the quantity of cards a merchant processes, with PCI Compliance Level 1 being the most stringent.
PCI Compliance Level 1
PCI Compliance Level 2
PCI Compliance Level 3
PCI Compliance Level 4
An external Qualified Security Assessor(QSA) company, an Internal Security Assessor (ISA) company, or a Self-Assessment Questionnaire (SAQ) validate compliance annually for companies handling smaller volumes. For Level 1 merchants undergoing an audit by a QSA, the 190-page PCI DSS Report on Compliance includes detailed questions on the business and its hosting environment, storage, and processes to monitor and test the organization’s system.
An organization seeking PCI DSS compliance can integrate with a third party agent such as Very Good Security (VGS), which has been audited by an independent QSA company and is certified as a PCI Compliance Level 1 service provider as well as a Visa service provider.
For organizations anticipating a high-volume of transactions, reaching Level 1 compliance can take six to 12 months or longer, on top of recurring annual maintenance and audits. The process usually involves dedicating full-time resources to build and maintain a secure network, protect data, maintain a vulnerability management program, implement strong access control, monitor and test networks, and enforce an information security policy. Integrating with a third party such as Very Good Security can cut that time significantly. PCI Compliance Level 2 can be reached immediately upon integration with Very Good Security, and PCI Compliance Level 1 certification can come within three weeks.
PCI DSS compliance requires annual review, as well as regular checks of systems, updates for personnel, and updates for antivirus programs.