Beth Stewart
PCI DSS compliance credit card being ran through terminal

PCI DSS - The Payment Card Industry Standard

Compliance
May 7, 2015

If you are a merchant that accepts credit card payments, you are required to be PCI DSS compliant and we have the details you need.

The Payment Card Industry Data Security Standard (PCI DSS) affects more of our customers than any other compliance standard.  If you are a merchant that accepts credit card payments, you are required to be PCI DSS compliant.  Third party processors, gateway providers and any other providers to merchants of point of sale equipment, software, systems or other payment processing solutions or services are also required to maintain PCI DSS Compliance.

The PCI DSS Security Council states that there are three ongoing steps for adhering to the standard; AssesRemediate and Report.

PCI DSS was created to increase controls around cardholder data to reduce credit card fraud. The PCI Standard is mandated by the credit card brands and administered by the Payment Card Industry Security Standards Council.   On December 15, 2004 Visa, Mastercard, American Express, Discover and JCB aligned their individual policies and released version 1.0 of The Payment Card Industry Standard.  The standard is currently in Version 3.1, which released in April of 2015.

The recent revision of Version 3.0 to 3.1 includes minor updates, clarifications and addresses vulnerabilities within SSL (Secure Socket Layer) encryption of payment data.    In order to maintain compliance, businesses must upgrade to a current, secure version of TLS (Transport Layer Security).  SSL and early versions of TLS cannot be used to protect payment data after June 30, 2016.

The PCI DSS Security Council states that there are three ongoing steps for adhering to the standard; AssesRemediate and Report.Assess is the process of taking inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that may put cardholder information at risk.Remediate is the process of fixing any vulnerabilities.Report entails the compilation of records required by PCI DSS to validate remediation, and submission of compliance reports to the acquiring bank and card payment brands you do business with.

A comprehensive breakdown of the 12 PCI DSS Requirements and their subsections can be found in the compliance section of our resources page.  An overview of the goals and requirements are listed in the below:

PCI DSS Requirements

Build and maintain a secure network

Install and maintain a firewall configuration to protect cardholder data

Do not use vendor-supplied defaults for system passwords and other security parameters

Protect stored cardholder data

Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program 

Use and regularly update anti-virus software and programs

Develop and maintain secure systems and applications

Implement strong access control measures 

Restrict access to cardholder data by business need to know

Assign a unique ID to each person with computer access

Restrict physical access to cardholder data

Regularly monitor and test networks

Track and monitor all access to network resources and cardholder data

Regularly test security systems and processes

Maintain an information security policy

Maintain a policy that addresses information security for all personnel

In order to maintain PCI DSS Compliance, each of these 12 requirements must be validated by either a Self or Outside Assessment.  The type of assessment required is based upon merchant levels, which are determined by the number of transactions processed for each card brand and other criteria.  Merchants that have suffered a hack or attack that resulted in account data being compromised may be required to comply with a more stringent level, despite the number of yearly transactions. Card brands may also have additional requirements for compliance and enforcement.  More information about card specific programs and requirements can be found using the following links:

Visa      MasterCard      Discover      American Express

There is a change on the horizon regarding credit and debit card transactions as we know them.  The magnetic strip many of us currently have on our credit cards will soon be replaced by cards that contain an EMV Chip.  EMV (Europay, MasterCard and Visa) is the global standard for inter-operation of integrated circuit cards, or chip cards, point of sale terminals and ATM’s.  EMV chip card transactions offer improved security over magnetic strip cards against fraud and make global financial transactions work across many cards and devices. This increased fraud protection has allowed banks and credit card issuers to push through a liability shift, making merchants liable for any fraud that results from transactions on processing systems that are not EMV capable.   Europe, Canada, Latin America and the Asia/Pacific region have implemented liability shifts and migration to EMV chip technology.  In October of this year the liability shift will take effect in the United States.

Additional information and details concerning EMV chip cards, and the liability shift can be found at: emvco.com  and smartcardalliance.org

Referencesn.d. EMVCo. Accessed May 6, 2015. http://www.emvco.com/.

n.d. PCI Standards Council, LLC . Accessed May 5, 2015. www.pecsecuritystandards.org.

n.d. Smart Card Alliance . Accessed May 5, 2015. www.smartcardalliance.org.

 and www.itispivotal.com, 2017. Unauthorized use and/or duplication of this material without express and written permission from Pivotal IT is strictly prohibited. 
Excerpts and links may be used, provided that full and clear credit is given to Pivotal IT with appropriate and specific direction to the original content. 
featured blog posts