The Payment Card Industry Data Security Standard ( PCI DSS) was developed to encourage and enhance cardholder data security and to facilitate the broad adoption of consistent data security measures globally.
It applies to all merchants and service providers that process, transmit, or store cardholder data. If your organization handles card payments, it must comply with PCI DSS.
The PCI DSS was launched in 2004 and is the result of collaboration between the major credit card brands: American Express, Discover, JCB, Mastercard, and Visa.
Do I need to comply with the PCI DSS?
All organizations that accept credit and debit cards or that store, process, and transmit cardholder data need to comply with the Standard.
The PCI DSS is a standard, not a law. It is enforced through contracts between merchants, acquiring banks, and payment brands.
Each payment brand can fine acquiring banks for PCI DSS compliance violations, and acquiring banks can withdraw the ability to accept card payments from non-compliant merchants.
It's also worth remembering the GDPR breach as a cardholder under the Regulation. that a PCI DSS breach is always a data is classified as personal data.
How to become PCI DSS Compliant?
The PCI DSS specifies 12 requirements that are organized into six control objectives.
- Build and maintain a secure network
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect cardholder data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Maintain a vulnerability management program
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Implement strong access control measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restricts physical access to cardholder data
- Regularly monitor and test networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain an information security policy
- Maintain a policy that addresses information security for employees and contractors
PCI DSS Assessment Process
- Confirm the scope of the PCI DSS assessment.
- Perform the PCI DSS assessment of the environment, following the testing procedures for each requirement.
- Complete the applicable report for the assessment (i.e., Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)), including documentation of all compensating controls, according to the applicable PCI guidance and instructions.
- Complete the Attestation of Compliance for Service Providers or Merchants, as applicable.
- Submit the SAQ or ROC, and the Attestation of Compliance, along with any other requested documentation—such as ASV scan reports—to the acquirer (for merchants) or to the payment brand or other requester (for service providers).
- If required, perform remediation to address requirements that are not in place, and provide an updated report.