Payment Card Protection
To ensure the protection of businesses and their customers, the Payment Card Industry Security Standards Council
(PCI SSC) publishes a checklist of security requirements for companies that handle credit card transactions.
These requirements are known as Payment Card Industry Data Security Standards, or PCI DSS, and compliance is essential for all businesses that process, store, and transmit sensitive digital payment information
(e.g., credit card info)
for consumer transactions.
What is PCI DSS?
PCI DSS is a worldwide standard of data security put in place to directly combat the staggering level of fraud and theft that takes place in payment card transactions.
In 2019, $28.65 billion was lost to payment card fraud. This number is expected to surge upwards of $38.50 billion by the year 2027.
When fraud happens
The monetary results of payment card fraud are daunting, yet there are further consequences of not protecting sensitive cardholder data, including:
Loss of client confidence
Cost of reissuing a new card
Higher subsequent costs of compliance and monitoring
Legal costs, settlements and judgments
Fines and penalties
Termination of your client’s ability to accept credit cards
Bankruptcy or going out of business
Why PCI DSS?
PCI DSS standards have been created to protect consumers by ensuring businesses adhere to best- practice security standards when processing payment card transactions.
The PCI SSC does not enforce compliance: individual payment brands or acquiring banks are responsible for ensuring compliance.
PCI DSS is intended to protect both sensitive cardholder data and the businesses that process, store, and transmit data.
Who PCI DSS Affects
PCI DSS applies to all businesses that store, process or transmit credit or debit cardholder data and/or sensitive authentication data.
If a business outsources its payment processing to a third party, the business is responsible for ensuring that the account data is adequately protected by that third party as required by PCI DSS requirements.
how psi dss impacts
PCI DSS is designed to protect cardholder’s sensitive information by ensuring that adequate controls are in place to govern the processes, people and systems that access the data.
Cardholder data and sensitive authentication data is
defined as follows:
Cardholder data includes Primary Account Number (PAN), cardholder name, expiration date and service code.
Sensitive authentication data includes full track data (magnetic-stripe data or the equivalent data contained on a chip), CAV2/CVC2/CVV2/CID and PINs or PIN blocks.
The PAN is the critical element associated with cardholder data. If the cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are existing there in the cardholder data environment (CDE), they must be guarded in accordance with PCI DSS requirements.
where Does Data Loss Occur
Cardholder data and sensitive authentication data loss can occur in multiple areas and in numerous scenarios, including:
Compromised card reader
Point of sale system
Varying electronic eavesdropping methods (e.g., hidden cameras or wiretaps)
PCI DSS Requirements
In May 2018, the PCI SSC updated the PCI DSS standards to address emerging threats and new methods of data processing and storage.
These 12 requirements outlined in the PCI DSS are considered data security best practice by major credit card companies for processing sensitive payment information and are categorized into six sections.
Businesses can demonstrate compliance with PCI DSS standards by implementing tight controls surrounding the storage, transmission, and processing of cardholder data, and maintaining adequate monitoring, testing, and reporting of yearly results.
PCI DSS 12-Step Checklist
CAN HELP YOU BE PCI DSS COMPLIANT
Goals 1 & 2
Build and Maintain a Secure Network and Systems
Install a firewall and maintain appropriate configurations to protect cardholder data.
Immediately change vendor-supplied defaults for system passwords and other security parameters.
Goals 3 & 4
Protect Cardholder Data
Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public networks.
Goals 5 & 6
Maintain a Vulnerability Management Program
Protect all systems against malware and regularly update anti-virus software or programs.
Develop and maintain secure systems and applications.
Goals 7, 8 & 9
Implement Strong Access
Restrict access to cardholder data to the minimum users as necessary (i.e., “need to know”).
Identify and authenticate access to system components.
Restrict physical access to cardholder data.
Goals 10 & 11
Regularly Monitor and
Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.
Maintain an Information
Maintain a policy that addresses information security for all personnel.
Additional PCI DSS requirements for shared hosting providers: Shared hosting providers must protect the cardholder data environment.