PCI DSS standards comprise six information security goals and 12 requirements under the Payment Card Industry Data Security Standard (PCI DSS). Every organization that processes payment card data must comply with the PCI Data Security Standard.
The goals and PCI DSS requirements are as follows:
- Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect Cardholder Data
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain an Information Security Policy
- Maintain a policy that addresses information security for employees and contractors.
You can find complete information about each of these standards in our comprehensive guide, “PCI Compliance Explained.” For tips on passing your PCI DSS audit with ease, check out “Preparing for a PCI-DSS Audit: Five Steps Success Scoping” and our PCI DSS Audit Checklist.
More About PCI DSS
The Payment Card Industry Security Standards Council (PCI SSC), comprising the credit card brands American Express, Discover Financial Services, JCB International, Mastercard, and Visa, Inc., was established to protect credit card information from data breaches. These credit card companies, all affiliated with financial institutions, wanted not only to protect sensitive authentication data, cardholder data such as primary account number, and other sensitive information, but to prevent their own systems from compromise, malware, and other security threats.
The standard the PCI Security Standards Council developed for businesses to meet, called the PCI DSS, establishes four levels of PCI compliance regarding information security. Which PCI DSS compliance level a merchant belongs to is based on the number of debit card payments and credit card transactions it processes per year.
Generally speaking, the merchant levels are:
Level 1: More six million+ Visa and Mastercard transactions annually
Level 2: Between 1 million and 6 million Visa and Mastercard transactions per year
Level 3: Between 20,000 and 1 million Mastercard and Visa transactions per year
Level 4: Fewer than 20,000 Visa and Mastercard transactions per year
Each level contains additional requirements for American Express, Discover, JCB, and eCommerce transactions.
Before completing the PCI DSS self-assessment questionnaire (SAQ), merchants should first determine their compliance level.
What Is PCI DSS Compliance?
PCI compliance requires companies who accept, process, store, or transmit credit card information to create a secure environment in which transactions take place, starting at the point of sale. Cardholder data must be stored on a private network that has no access or connection to the public internet.
Additionally, PCI DSS compliance requires merchants to hire a qualified security assessor (QSA) whose independent “attestation of compliance” ensures that the merchant is PCI compliant.
This report on compliance incorporates a review of the merchant’s security controls under the 12 requirements, including vulnerability management. Some merchants or service providers use approved scanning vendors (ASV) to manage their vulnerability scans.
PCI non-compliance can lead to card data theft, fines, or acquiring banks‘ refusal to allow a merchant or service provider to accept credit card or debit card payments.