PCI DSS Overview
The Payment Card Industry Standard (PCI DSS) is a compliance standard that governs the processing, storage or transmission of cardholder data. PCI DSS applies to any organisation which processes, stores or transmits cardholder data. Organisations can be classified as a merchant or service provider. An important point to note is that the standard is not just an IT compliance standard it effects all areas of an organisation.
PCI DSS Background
The PCI DSS was founded in December 2004 by 5 major card brands – Visa, MasterCard, American Express, Discover and JCB. The ongoing maintenance and updates to the standard are performed by the Payment Security Standards Council (PCI SSC), an independent organisation, joint funded by all the participating card brands and participating organisations. The PCI DSS is now on its 4th major release which is now at v2.0.
It is important to note that compliance is not a legal requirement but it is driven by the contractual agreements between merchants and acquiring banks that cannot be ignored.
PCI DSS Requirements
The PCI DSS are broken down into 6 domains that have various sections and associated requirements within each section which are as follows:
- Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters - Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks - Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications - Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data - Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes - Maintain an Information Security Policy
12. Maintain a policy that addresses information security
Why should an organisation comply with the PCI DSS?
There are a number of benefits of attaining PCI DSS compliance;
- Provides your customers with assurance that card transactions will be handled securely by your organisation
- Level 1 service providers who achieve PCI DSS compliance can ask to be added to the Visa and
- MasterCard lists of approved service providers
- Avoidance of financial penalties which are divided into two areas:
- Non–Compliance Costs
- Data Breach Costs Can include:
o Fines levied by your acquirer for the cardholder data breach
o Elevation to a level 1 merchant, increasing your ongoing compliance costs
o The need to have an onsite QSA assessment which will add significant overhead to the demonstration of compliance
o Consultancy costs for forensic assessments & remediation advice
o Potential liability for consequential losses due to the card data breach
o The fines which may be levied for non-compliance are potentially unlimited
Common Misconceptions
The following are common misconceptions in relation to PCI DSS compliance;
- You can’t fully outsource all your PCI DSS accountability although you can outsource most of the responsibility for the provision of services; remember some areas of the standard will ALWAYS remain in scope.
- Using a PA DSS compliant application – or a PCI PTS compliant PED does not automatically make your company PCI DSS compliant
- A PCI DSS assessment/ SAQ completion is just a snap-shot. Compliance with PCI DSS must be maintained at all times, and evidence of this needs to be available
- PCI DSS is NOT an IT compliance standard, it affects all facets of an organisation
For further information on our PCI compliance services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.