PCI DSS stands for Payment Card Industry Data Security Standard. This standard (commonly known as ‘PCI’) represents a set of security standards that ensure the safe handling of payment card data. These standards, also adapted by Rackspace, were created by the five major card companies (American Express, JCB, MasterCard and Visa), this standard comprises 12 distinct requirements that are designed to:
PCI DSS comprises of 12 requirements. These define the need to:
For PCI DSS purposes, “payment cards” encompasses all credit/debit/cash cards that are issued on any American Express, Discover, JCB, MasterCard or Visa branding.
Payment card data is information pertaining to credit/debit cards and their owner. This data is classified in 2 categories: Card Holder Data and Sensitive Authentication Data. PCI DSS imposes some storage restrictions on data elements making part of these categories.
Cardholder data refers to all information from a credit card or debit card that is used in a transaction. Commonly used elements of cardholder data include the Primary Account Number (PAN), Cardholder Name and Expiration Date displayed on the front of the card. All these elements, and more, are digitally stored on the magnetic stripe at the back of the card.
Sensitive Authentication Data is security related information used to authenticate cardholders and authorize card transactions. Sensitive Authentication Data elements include magnetic stripe data and the Card Validation Code - the three or four digit number security code found either on the front or on the back of a card (a.k.a. CVV, CVV2)
The PCI DSS sets out which data elements can be stored and how they should be protected. We can store the PAN, Cardholder Name, and Expiration Date cardholder data elements as long as they are protected. Protection should take the form of encryption using a strong technique such as AES; alternatively, the PAN must be hashed or truncated. This protection is important since the PAN together with one of the other elements is the minimum data required in certain instances for effecting a payment.
None. You cannot store Sensitive Authentication Data elements at all, even if encrypted, subsequent to the authorization of a transaction.
Any individual, team, department, or organization that stores, processes, and/or transmits cardholder data must be PCI DSS compliant—regardless of the size of the entity or volume of transactions made. However PCI DSS requirements do not only apply to electronic data. We are duty bound to dispose of printed material which contains payment card details and credit cardholder data in an appropriate way. In large environments where waste management is outsourced to subcontractors such as paper-shred companies, the entities that request such services must make sure that their ‘service providers’ are PCI DSS complaint as well.
All merchants that acquire payment card transactions are categorized in 4 distinct levels, as determined by their number of annual transactions:
These levels determine the validation processes that a merchant must undertake in order to achieve and maintain compliance.
All service providers that process credit card transactions are categorized in the following 3 levels:
These levels determine the validation processes that a service provider must undertake in order to achieve and maintain compliance.
Qualified security assessors (QSA) are audit firms that provide professional security auditing services to corporations that need to demonstrate the fruits of their PCI DSS compliance efforts. For list of QSAs, visit: https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf
An approved scan vendor (ASV) is a vendor that provides network vulnerability and security scanning services to businesses that want to achieve PCI DSS compliance. For a list of ASVs, visit: https://www.pcisecuritystandards.org/pdfs/asv_report.html
A self-assessment questionnaire is a reporting requirement of PCI DSS compliance for merchants and service providers. It is completed in-house, without the need to contract 3rd parties. You must fill in this security-related questionnaire that queries the current and past state of network security.
Non-compliance with PCI DSS has its consequences. You could face fines up to $500,000 and expensive litigation costs. From an operational point of view, level 2, 3, or 4 merchants and service providers that have network security breaches, can have their level escalated to level 1. This has an adverse impact in terms of costs since compliance in the level 1 tier is more demanding. In addition, non-compliance impacts brand reputation and exposes corporations to extensive negative publicity that undermines consumer confidence.
PCI DSS is a binding collection of rules that promote information technology security processes. PCI DSS aims to reduce financial fraud through heightened network security capabilities of whoever processes payment card information. There are many benefits of PCI DSS compliance. The most fundamental ones for an organization are:
Moving back to level 1 takes two years, with the first year allocated to fix any procedural errors that enabled the security breach. The second year is a buffering period to ensure that no new security breaches have occurred.
© 2011-2013 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License