One of the ways the credit card networks have tried to crack down on credit card fraud is by requiring merchants to comply with a set of rules called the Payment Card Industry Data Security Standard (PCI DSS). The PCI Security Standards Council (PCI SSC) was formed in December, 2004, to combine the security programs of all the major credit card networks (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc) into one global standard. Thus, the PCI DSS was born with the aim to “help facilitate the broad adoption of consistent data security measures on a global basis” and “help organizations proactively protect customer account data.”
What does this mean for you?
If you accept credit or debit cards from any of these networks, you are required to comply with the PCI DSS. Complicated? In theory, not really. The PCI SSC breaks the requirements for processing, storing or transmitting payment cardholder data down into 12 requirements which are handily explained in their PCI SSC Quick Guide.
Goals |
PCI DSS Requirements |
Build and Maintain a Secure Network | 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters |
Protect Cardholder Data | 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks. |
Maintain a Vulnerability Management Program | 5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications |
Implement Strong Access Control Measures | 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data |
Regularly Monitor and Test | 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes |
Maintain an Information Security Policy | 12. Maintain a policy that addresses information security for employees and contractors |
In fact, you can get a lot of good information from the PCI SSC official site.
MasterCard has also put together a series of free webinars that help explain PCI compliance.
In order to be compliant, your equipment and payment applications also need to be approved by PCI DSS standards. This includes pin pad equipment, which has its own set of rules (the PTS). The PCI SCC site maintains a list of approved equipment and software/payment applications, which is updated regularly as new equipment and software is developed.
How is the PCI DSS enforced?
The PCI DSS is enforced by the card associations, not by the PCI SSC. The level of compliance varies by your annual number of credit/debit card transactions as defined by each of the card associations. If you fail to comply with PCI DSS, you may be subject to fines, fees or assessments and/or termination of processing service.
While the PCI DSS is a common standard, each payment brand has its own compliance program and each have their own criteria for compliance: