The Payment Card Industry Data Security Standard (PCI DSS) affects more of our customers than any other compliance standard.
If you are a merchant that accepts credit card payments, you are required to be PCI DSS compliant. Third party processors, gateway providers and any other providers to merchants of point of sale equipment, software, systems or other payment processing solutions or services are also required to maintain PCI DSS Compliance.
The PCI DSS Security Council states that there are three ongoing steps for adhering to the standard; Asses, Remediate and Report.
PCI DSS was created to increase controls around cardholder data to reduce credit card fraud. The PCI Standard is mandated by the credit card brands and administered by the Payment Card Industry Security Standards Council. On December 15, 2004 Visa, Mastercard, American Express, Discover and JCB aligned their individual policies and released version 1.0 of The Payment Card Industry Standard. The standard is currently in Version 3.1, which released in April of 2015.
The recent revision of Version 3.0 to 3.1 includes minor updates, clarifications and addresses vulnerabilities within SSL (Secure Socket Layer) encryption of payment data. In order to maintain compliance, businesses must upgrade to a current, secure version of TLS (Transport Layer Security). SSL and early versions of TLS cannot be used to protect payment data after June 30, 2016.
The PCI DSS Security Council states that there are three ongoing steps for adhering to the standard; Asses, Remediate and Report.Assess is the process of taking inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that may put cardholder information at risk.Remediate is the process of fixing any vulnerabilities.Report entails the compilation of records required by PCI DSS to validate remediation, and submission of compliance reports to the acquiring bank and card payment brands you do business with.
A comprehensive breakdown of the 12 PCI DSS Requirements and their subsections can be found in the compliance section of our resources page. An overview of the goals and requirements are listed in the below:
PCI DSS Requirements
Build and maintain a secure network
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
Use and regularly update anti-virus software and programs
Develop and maintain secure systems and applications
Implement strong access control measures
Restrict access to cardholder data by business need to know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Regularly monitor and test networks
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain an information security policy
Maintain a policy that addresses information security for all personnel
In order to maintain PCI DSS Compliance, each of these 12 requirements must be validated by either a Self or Outside Assessment. The type of assessment required is based upon merchant levels, which are determined by the number of transactions processed for each card brand and other criteria. Merchants that have suffered a hack or attack that resulted in account data being compromised may be required to comply with a more stringent level, despite the number of yearly transactions. Card brands may also have additional requirements for compliance and enforcement. More information about card specific programs and requirements can be found using the following links:
Visa MasterCard Discover American Express
There is a change on the horizon regarding credit and debit card transactions as we know them. The magnetic strip many of us currently have on our credit cards will soon be replaced by cards that contain an EMV Chip. EMV (Europay, MasterCard and Visa) is the global standard for inter-operation of integrated circuit cards, or chip cards, point of sale terminals and ATM’s. EMV chip card transactions offer improved security over magnetic strip cards against fraud and make global financial transactions work across many cards and devices. This increased fraud protection has allowed banks and credit card issuers to push through a liability shift, making merchants liable for any fraud that results from transactions on processing systems that are not EMV capable. Europe, Canada, Latin America and the Asia/Pacific region have implemented liability shifts and migration to EMV chip technology. In October of this year the liability shift will take effect in the United States.
Additional information and details concerning EMV chip cards, and the liability shift can be found at: emvco.com and smartcardalliance.org
References EMVCo. Accessed May 6, 2015. http://www.emvco.com/.
n.d. PCI Standards Council, LLC . Accessed May 5, 2015. www.pecsecuritystandards.org.
n.d. Smart Card Alliance . Accessed May 5, 2015. www.smartcardalliance.org.