The Payment Card Industry Data Security Standard (PCI DSS) – is a worldwide security standard developed by the Payment Card Industry (PCI) Security Standards Council to protect cardholder information, such as credit and debit card numbers and cardholders’ personal details. It includes requirements for security management, network architecture, software design, security policies and procedures, and other protection of customer account data. The standard is applicable to any organisation that stores, transmits or processes cardholder information; be they a merchant, third-party processor or acquirer.
PCI DSS is a set of six principles that encompass 12 specific requirements.These requirements are equally applicable to any organisation holding personal information and are intended to reduce the organisation’s risk of a data breach.
Build and maintain a secure network
- install and maintain a firewall configuration to protect your cardholders’ data
- do not use vendor defaults for system passwords or other security actions
Protect your cardholder data
- protect any stored cardholder data
- encrypt transmission of your cardholders’ data across open, public networks
Keep a vulnerability management plan
- always use and regularly update your anti-virus software
- develop and maintain secure systems and applications
Implement strong access control practices
- limit access to cardholder data to only those who need to know
- give every person with computer access a unique ID
- limit physical access to cardholder data
Monitor and test your networks on a regular basis
- track and monitor all access to your network resources and cardholder data
- regularly test security systems and procedures
Keep an information security policy
- Always keep a policy that addresses your information security.
The PCI Security Standard Council encourages businesses that store payment data to comply with PCI DSS and become certified to help reduce financial risks from data compromises. However, it is the payment card schemes, eg MasterCard or Visa, that manage the actual compliance programme. In practical terms this means the programme is managed by acquirers and you should check with your bank to seek advice on your specific compliance obligations and how your business can become certified.
Failure to be annually certified can become an issue if you have a security breach and your customers’ card details are stolen, in which case penalties levied by the card schemes and costs can be heavy depending on the number of cards compromised.
Even where a merchant is certified this does not protect them from potential penalties if it is deemed that their own actions through negligence, omission or accident contributed to a breach.