What is PCI DSS Compliance?
PCI DSS is the abbreviation of Payment Card Industry Data Security Standards and this term stands for the regulation of the minimum standard of global data security when processing credit card data in the payment system.
With the intention of protecting credit card information, the minimum standard was elaborated, developed and introduced in 2006 by the PCI Security Standards Council (PCI SSC). The minimum standard is intended to protect the data of private individuals, banks themselves and other participants. The PCI SSC was created through the cooperation of Mastercard, Visa, American Express, Discover and JCB.
Being PCI DSS compliant is not mandatory by law for companies or organizations. However, companies can expect high fines if they have been negligent in processing credit card data. PCI DSS is a big step towards preventing credit card fraud and every company that participates in PCI DSS compliance is actively involved in achieving the goals of PCI SSC.
What does it mean to process credit card information regarding PCI DSS?
PCI DSS processing includes, among other things, the storage, forwarding of credit card information or the direct processing of credit card holder information. The processing of this data can be carried out in the network, digitally or in paper form. PCI DSS therefore applicable to all companies or organizations that accept credit cards as a means of payment or process credit card information in other forms.
How do companies achieve PCI DSS compliance?
Businesses or organizations that process credit card information (from small online merchants to large financial banks) are required to achieve PCI DSS compliance regulation and meet the minimum requirements on an ongoing basis. To determine whether the necessary minimum requirements have been met, it may be sufficient to submit the correct Self-Assessment Questionnaire (SAQ) completed fully and truthfully, or a PCI Advisory Board-approved auditor must be consulted.
There are 12 points to be considered for PCI DSS compliance, which in turn have many sub-points. In total, there are over 300 requirements that could be met. Not every company has to fulfill the same number of points. The minimum standard a company must demonstrate to be PCI DSS compliant depends on which of the four levels specified by PCI SSC the company is classified at.
Level 1 to Level 4 of PCI DSS compliance
The levels differ mainly in the number of transactions performed by a company or organization. In addition to these criteria, there are other criteria by which a level classification is possible, which we will not discuss further here. In the following, the number of transactions of the respective levels is named:
More than 6 million transactions annually via Visa and/or Mastercard or more than 2.5 million transactions annually via American Express
A number of 1 to 6 million transactions per year
An annual number of transactions between 20,000 and one million
A number of transactions per year ranging from less than 20,000 to one million
The 12 main requirements of PCI DSS
- Firewall configurations must be installed and maintained to protect cardholder data.
- Default settings (regarding system passwords and other relevant security parameters) from suppliers must not be maintained and must therefore be changed.
- Protection of cardholder data through encryption and adherence to specific procedures for disposal and storage of data.
- Encrypted transmission of credit card holder data in open and public networks (e.g. Bluetooth).
- Systems must be protected against viruses, malware and other attacks by installing and regularly updating anti-software or programs.
- Development of secure systems and maintenance with ongoing updates e.g. in the form of updates.
- Grant access to credit card information only to those persons who can be justified based on business requirements (“need to know” principle).
- System components must be assignable to specific persons and these persons must be given the opportunity to authenticate. This can be done, for example, using authorizations and multi-factor authentication.
- In addition to digital access, physical access to cardholder data must also be used in a restricted manner and monitored.
- Access to network resources and card data must be tracked and monitored.
- Security systems and security procedures must be tested regularly and improved as needed.
- Implement policies that include and address employee data information security.
PCI DSS compliance achieved and now?
Anyone who has dealt with PCI DSS will know that it is not the easiest thing to check which requirements apply to which company in the first place. Implementing and proving these is costly, but it should be worth it. Those who are not PCI-DSS compliant can possibly expect B2B connections to break off, partnerships to not even materialize, or informed customers to bail out and look elsewhere. Furthermore, it should not be forgotten that achieving PCI DSS compliance once is not sufficient to remain certified permanently. Payment Card Industry Data Security Standards is to be understood as a permanent process and accordingly, the fulfillment of the minimum requirement must also be taken care of on an ongoing basis.
The requirements are revised and published every three years. Those who want to stay informed in the meantime and don’t want to miss out on updates should consider the option of becoming a member of the PCI Security Standard Council.