What are the PCI DSS Requirements?
PCI DSS stands for Payment Card Industry Data Security Standard. If your businesses stores, processes or transmits cardholder data, you need to ensure that you pay special attention to the way you handle these payments. The PCI DSS represents the standard all entities must adhere to in order to protect customer data, their finances and their business' reputation.
The PCI Security Standards Council sets these payment card standards. With the main card schemes, including American Express, Discover, JCB International, MasterCard and Visa, the council provide tools to help with PCI DSS implementation. They also assist with education and awareness and approve Qualified Security Assessors (QSAs) and perform on-site PCI DSS assessments.
What are the requirements?
Whilst some of the requirements may not be applicable to your role, it's still important to be aware of what your organisation should be doing to protect payment card data. There are 12 requirements, split across 6 goals:
Build and maintain a secure network:
1) Businesses must install and maintain a firewall configuration to protect cardholder data.
2) Businesses should not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data:
3) Businesses are required to protect stored cardholder data.
4) Transmission of cardholder data across open, public networks must be encrypted.
Maintain a vulnerability management programme:
5) Businesses should use and regularly update anti-virus software or programs.
6) Businesses are required to develop and maintain secure systems and applications.
Implement strong access control measures:
7) This can be achieved by restricting access to cardholder data by business need-to-know.
8) A unique ID should be assigned to each person with computer access.
9) Businesses should restrict physical access to cardholder data.
Regularly monitor and test networks:
10) All access to network resources and cardholder data should be tracked and monitored.
11) Businesses must regularly test security systems and processes.
Maintain an information security policy:
12) Finally, businesses should maintain a policy that addresses information security for all personnel.
Who are the PCI DSS requirements relevant to?
Any entity that stores, processes or transmits cardholder data should comply with PCI DSS. For example:
- Merchants: A merchant accepts a payment card from a cardholder in return for products and services.
- Service providers and third parties: A service provider or third party such as payment service providers and software vendors: store, process or transmit cardholder data on behalf of a merchant.
- Financial institutions: A financial institution processes, stores and transmits payment card data when carrying out transactions such as investments, loans and deposits and includes entities such as banks, insurance companies, investment dealers and brokerage firms.
- Card schemes: Card schemes set and comply with the PCI DSS standards.
Merchant and service provider levels give a ranking relating to annual transactions. This ranking determines the risk level of a merchant or service provider, and the appropriate level of security for their business. This also determines the assessment and validation requirements for each merchant and service provider. A merchant will have four levels, whilst a service provider has two.
Why should you be aware of PCI DSS requirements?
The PCI DSS requirements are not enforced by law. However, there are significant financial costs associated with ignoring the PCI DSS regulations. By complying with the industry-standards, you can effectively control the risks associated with cyberattacks. For example, the threat of data breaches has become much more prevalent recently due to the rise in technological advances. If you have suffered from data compromise, paying for a PCI Forensic Investigator (PFI) in order to establish the source of the breach can cost thousands of pounds. You may also have to pay significant Card Scheme fines.
Data losses also often involve the loss of personal data, which means breaching the Data Protection Act 1998. The Information Commissioner's Office (ICO) has enforcement powers to impose fines of up to £500,000 for this. Aside from the substantial financial losses, your business also loses the confidence and trust of many customers, which reduces sales and can often lead to organisations going out of business. Therefore, whilst PCI compliance isn't officially mandatory, you should conform to the requirements responsibly to protect your business' longevity.