The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands.It was created to better control cardholder data and reduce credit card fraud.
The major card brands had five different security programs:
- Visa’s Cardholder Information Security Program
- Mastercard’s Site Data Protection
- American Express’s Data Security Operating Policy
- Discover’s Information Security and Compliance
- JCB’s Data Security Program
The intention of the security programs are to create an additional level of protection for card issuers by ensuring that merchants meet minimum level so security when storing, processing and transmitting cardholder data.
All organisations that accept credit card and debit cards or that store, process or transmit cardholder data need to comply with the standard.
There are 12 requirements for compliance with PCI-DSS:
- Install and maintain a firewall system to protect cardholder data.
- Avoid vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data on open, public networks.
- Protect all systems against malware, and update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need to know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- Track and monitor access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain an information security policy which addresses information security for all personnel.
How compliance is determined:
- Self-Assessment Questionnaire (SAQ) - validation tool for SME merchants to assess their own compliance status.
- Report on Compliance (RoC) - conducted by a Qualified Security Assessor is independent validation of an entity’s compliance
- PCI Security Assessor