The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.
The standard is maintained by the Payment Card Industry Security Standards Council, which maintains both the PCI DSS and a number of other standards, such as the Payment Card Industry PIN Entry Device security requirements (PCI PED) and the Payment Application Data Security Standard (PA-DSS).
Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organization is handling, but regardless of the size of the organization, compliance must be assessed annually. Organizations handling large volumes of transactions must have their compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of self-certification via a Self-Assessment Questionnaire (SAQ). In some regions these SAQs still require signoff by a QSA for submission.
PCI DSS went into effect December 31, 2006. On October 1, 2008, the PCI Security Standards Council announced general availability of version 1.2 of the PCI DSS that does not introduce any new major requirements to the existing standard, but does change some practices. Entities that fail to comply with PCI DSS face fines and increases in the rates that the credit card companies charge for transactions, and potentially can have their authorization to process payment cards revoked.
The current version of the standard (1.2) specifies 12 requirements for compliance, organized into six logically related groups, which are called "control objectives."
|Control Objectives||PCI DSS Requirements|
|Build and Maintain a Secure Network||1. Install and maintain a firewall configuration to protect cardholder data.||2. Do not use vendor-supplied defaults for system passwords and other security parameters.|
|Protect Cardholder Data||3. Protect stored cardholder data|
|4. Encrypt transmission of cardholder data across open, [[public networks|
|Maintain a Vulnerability Management Program||5. Use and regularly update anti-virus software] on all systems commonly affected by malware|
|6. Develop and maintain secure systems and applications|
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need-to-know|
|8. Assign a unique ID to each person with computer access|
|9. Restrict physical access to cardholder data|
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data|
|11. Regularly test security systems and processes|
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security|
Enforcement of compliance is done by the bodies holding relationships with the in-scope organizations. Thus, for organizations processing Visa or Mastercard transactions, compliance is enforced by the organization's acquirer, while organizations handling American Express transactions will deal directly with American Express for the purposes of compliance.
In the case of third party suppliers such as hosting companies who have business relationships with in-scope organizations, enforcement of compliance falls to the in-scope company, as neither the acquirers nor the card brands will have appropriate contractual relationships in place to mandate compliance. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined.
- ↑ See 2007 Tex. H.B. No. 3222 which mandates PCI DSS compliance, and provides a safe harbor under the statute if the business that suffered the data breach was in compliance with PCI DSS 90 days before the date of the security breach.
- ↑ PCI DSS-PCI Security Standards Council
- ↑ In Data Leaks, Culprits Often Are Mom, Pop
|This page uses Creative Commons Licensed content from Wikipedia (view authors).|