top of page
If your clients pay with a credit car for products or services, ITC can help your business be compliant and stay protected from cyber attacks and breaches..
Visit ITCs technology library to learn the latest IT trends and topics.

Understanding

PCI DSS

ITCentral logo

Payment Card Protection

To ensure the protection of businesses and their customers, the Payment Card Industry Security Standards Council 

(PCI SSC) publishes a checklist of security requirements for companies that handle credit card transactions.

 

These requirements are known as Payment Card Industry Data Security Standards, or PCI DSS, and compliance is essential for all businesses that process, store, and transmit sensitive digital payment information

(e.g., credit card info)

for consumer transactions.

What is PCI DSS?

PCI DSS is a worldwide standard of data security put in place to directly combat the staggering level of fraud and theft that takes place in payment card transactions.

 

In 2019, $28.65 billion was lost to payment card fraud. This number is expected to surge upwards of $38.50 billion by the year 2027.

When fraud happens

The monetary results of payment card fraud are daunting, yet there are further consequences of not protecting sensitive cardholder data, including:

  • Loss of client confidence

  • Cost of reissuing a new card

  • Higher subsequent costs of compliance and monitoring

  • Legal costs, settlements  and judgments

  • Fines and penalties

  • Termination of your client’s ability to accept credit cards

  • Lost jobs

  • Bankruptcy or going out of business

Why PCI DSS?

PCI DSS standards have been created to protect consumers by ensuring businesses adhere to best- practice security standards when processing payment card transactions. 

 

The PCI SSC does not enforce compliance: individual payment brands or acquiring banks are responsible for ensuring compliance.

 

PCI DSS is intended to protect both sensitive cardholder data and the businesses that process, store, and transmit data.

Who PCI DSS Affects

PCI DSS applies to all businesses that store, process or transmit credit or debit cardholder data and/or sensitive authentication data.

 

If a business outsources its payment processing to a third party, the business is responsible for ensuring that the account data is adequately protected by that third party as required by PCI DSS requirements.

Visit ITCs technology library to learn the latest on IT trends and topics.

how psi dss impacts

PCI DSS is designed to protect cardholder’s sensitive information by ensuring that adequate controls are in place to govern the processes, people and systems that access the data.

 

Cardholder data and sensitive authentication data is

defined as follows:

  • Cardholder data includes Primary Account Number (PAN), cardholder name, expiration date and service code.

  • Sensitive authentication data includes full track data (magnetic-stripe data or the equivalent data contained on a chip), CAV2/CVC2/CVV2/CID and PINs or PIN blocks.

The Pan

The PAN is the critical element associated with cardholder data. If the cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are existing there in the cardholder data environment (CDE), they must be guarded in accordance with PCI DSS requirements.

where Does Data Loss Occur

Cardholder data and sensitive authentication data loss can occur in multiple areas and in numerous scenarios, including:

  • Compromised card reader

  • Point of sale system

  • Storage networks

  • Database

  • Online portals

  • Wireless routers

  • Filing cabinet

  • Varying electronic eavesdropping methods (e.g., hidden cameras or wiretaps)

PCI DSS Requirements

In May 2018, the PCI SSC updated the PCI DSS standards to address emerging threats and new methods of data processing and storage.

These 12 requirements outlined in the PCI DSS are considered data security best practice by major credit card companies for processing sensitive payment information and are categorized into six sections.

Businesses can demonstrate compliance with PCI DSS standards by implementing tight controls surrounding the storage, transmission, and processing of cardholder data, and maintaining adequate monitoring, testing, and reporting of yearly results.

PCI DSS 12-Step Checklist

CAN HELP YOU BE PCI DSS COMPLIANT

ITCentral logo

Goals 1 & 2
Build and Maintain a Secure Network and Systems

Install a firewall and maintain appropriate configurations to protect cardholder data.

Immediately change vendor-supplied defaults for system passwords and other security parameters.

Make sure all of the technology your employees use is safe. Let ITC show you how to protect all of your technology.

Goals 3 & 4
Protect Cardholder Data

Protect stored cardholder data.

Encrypt transmission of cardholder data across open, public networks.

Goals 5 & 6
Maintain a Vulnerability Management Program

Protect all systems against malware and regularly update anti-virus software or programs.

Develop and maintain secure systems and applications.

Goals 7, 8 & 9
Implement Strong Access
Control Measures

Restrict access to cardholder data to the minimum users as necessary (i.e., “need to know”).

Identify and authenticate access to system components.

Restrict physical access to cardholder data.

Goals 10 & 11
Regularly Monitor and
Test Networks

Track and monitor all access to network resources and cardholder data.

Regularly test security systems and processes.

Goal 12
Maintain an Information
Security Policy

Maintain a policy that addresses information security for all personnel.

 

Additional PCI DSS requirements for shared hosting providers: Shared hosting providers must protect the cardholder data environment.

bottom of page