Payment Card Industry (PCI) – Data Security Standard is standard set based on a consensus based process led by 5 major credit card companies. It is not a government enforced standard and compliance is enforced by the credit companies.
Non-compliance results in higher fees and severe fines in the event of breach. All merchants and service providers collecting and processing credit card transactions are required to comply with the PCI-DSS.
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security.
Benefits of Implementing PCI-DSS ( based on www.visaeurope.com)
In today’s environment, security has become a consideration for every type of business.
By following the standardised, industry-wide procedures of PCI DSS, organisations can:
- Protect their customers’ personal data
- Boost customer confidence through a higher level of data security
- Insulate themselves from financial losses and remediation costs
- Maintain customer trust, and safeguard the reputation of their brand
- Provide a complete ‘health check’ for any business that stores or transmits customer information
As the technology used by merchants and their partners has evolved, card fraud has become more sophisticated. Any business that stores or transmits cardholder account data is a potential target.
PCI DSS protects cardholders and minimises the risk to your business.
Implementation of technological solutions that reduce the amount of card data handled by an organisation may also help considerably as they may:
- Reduce the amount of data at risk of compromise
- Reduce the scope of a PCI DSS compliance and other security and audit projects
- Simplify an organisation’s security needs and plans
Examples of technologies that may help increase your security and reduce the risk of compromises are the use of a PCI DSS compliant service provider, the use of a secure payment application, the implementation of EMV Chip and PIN, data encryption, and tokenisation.
