You are on page 1of 2

Payment Card Industry Data Security Standards (PCI DSS

)
(By Shahid Rafiq)
Background.
The breach or theft of data of payment cards affects the entire
payment card ecosystem. Customers suddenly lose trust in merchants or financial
institutions, their credit can be negatively affected -- there is enormous personal
fallout. Merchants and financial institutions lose credibility (and in turn, business),
they are also subject to numerous financial liabilities. As a result, The Payment Card
Industry Security Standards Council (PCI SSC) was launched on September 7, 2006
to manage the ongoing evolution of the Payment Card Industry (PCI) security
standards with a focus on improving payment account security throughout the
transaction process. It is an independent body that was created by the major
payment card brands (Visa, MasterCard, American Express, Discover and JCB).
PCI Security Standards.
The Payment Card Industry Data Security Standard
(PCI DSS) was developed by PCI SSC to encourage and enhance cardholder data
security and facilitate the broad adoption of consistent data security measures
globally. PCI DSS provides a baseline of technical and operational requirements
designed to protect cardholder data. PCI DSS applies to all entities involved in
payment card processing—including merchants, processors, acquirers, issuers, and
service providers, as well as all other entities that store, process or transmit
cardholder data (CHD) and/or sensitive authentication data (SAD). The PCI Data
Security Standard specifies twelve requirements for compliance, organized into six
logically related groups called "control objectives".
Control Objectives/ Goals and Requirements. Each version of PCI DSS has
divided these twelve requirements into a number of sub-requirements differently,
but the twelve high-level requirements have not changed since the inception of the
standard.
Control
Objectives/ Goals
Build and Maintain
a Secure Network

Protect
Data

Cardholder

Maintain
a
Vulnerability
Management
Program
Implement Strong
Access
Control
Measures
Regularly

Monitor

Requirements
1. Install and maintain a firewall configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system passwords
and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need-toknow
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and

each payment card brand maintains its own separate compliance enforcement programs. Each payment card brand has defined specific requirements for compliance validation and reporting. Regularly test security systems and processes 12.and Test Networks Maintain Information Security Policy an cardholder data 11.org/pci_security/ PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 2.0 (November 2013) .pcisecuritystandards. process and/or transmit cardholder data must comply with PCI DSS. Depending on an entity’s classification or risk level (determined by the individual payment card brands). processes for validating compliance and reporting to acquiring financial institutions usually follow this track:      PCI DSS Scoping – determine what system components are governed by PCI DSS Assessing – examine the compliance of system components in scope Compensating Controls – assessor validates alternative control technologies/processes Reporting – assessor and/or entity submits required documentation Clarifications – assessor and/or entity clarifies/updates report statements (if applicable) upon request of the acquiring bank or payment card brand References     https://www. Maintain a policy that addresses information security for employees and contractors How to Comply with PCI DSS? Merchants and other entities that store. such as provisions for performing self-assessments and when to engage a QSA.0 (October 2010) Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3. While the Council is responsible for managing the data security standards.