The Payment Card Industry Data Security Standard was formulated by the PCI SSC (Security Standard Council) comprising of the five major card companies – Master Card, American Express, VISA, JCB, and Discover. This standard has been created to ensure that the security of the cardholder is maintained at all times.
Any organization that stores transmit or processes cardholder information is required to have the PCI DSS certification. Details of the cardholder are considered sensitive information and require a secure environment to store this information in the organization.
This standard provides a comprehensive framework for all security processes required for complete payment card data. This includes all the prevention and detection methodologies as well as required steps to be taken in case of security incidents.
- Features and Benefits
- Applicability
- Consulting Methodology
PCI DSS standard compliance can seem to be a mountain of work; however, with the right advice and team at your side, it is something easily manageable. There are, all in all, 12 unique requirements for complying with this standard.
Install and Update Firewalls – This is a mandatory requirement to keep unauthorized and unknown access to a customer’s private data.
Robust Password Protection – A lot of the systems we use today be it modems, routers or third party services come with highly generic passwords. Having a system of installing strong passwords and keeping a list of the devices and systems that would require a password is a crucial component of this standard.
Encrypt Transmitted Data – This point highlights the fact that cardholder data is shared through many channels. On all these channels it becomes important to encrypt said data, including a ban on sending account numbers to unknown locations.
Cardholder Data Security – All the card data should be stored in two-layer encryption and should be accompanied with regular maintenance and scanning of primary account numbers to ensure no unencrypted data.
Anti-Virus Systems – All the devices that use or store PAN numbers should have an anti-virus system with the software regularly updated and patched. The point of sale provider should also have installed anti-virus software.
Software Updates – All firewalls and anti-virus software should be regularly updated. Over and above this any software being used by the business should have patches in place for freshly found vulnerabilities.
Creating Unique IDs – All the individuals that have access to cardholder data should have unique credentials for access to the system. There should, under no circumstances, be a single login for multiple employees.
Access Restriction – Cardholder data is considered to be sensitive information and should be shared only with those who have the appropriate clearance. It should be shared on a need to know basis and there needs to be an updated document listing all the roles that have access to this sensitive data.
Limited Physical Access – If the cardholder data is going to be kept in a physical location, it should be under lock and key in a secure location. Anytime sensitive data is accessed it should be logged in for future reference.
Access Logs – All activity that has been undertaken with cardholder data should have a log entry behind them. The lack of a proper record is a major compliance violation.
Testing for Vulnerabilities – There should be a system in place that makes room for regular scanning and testing the software systems in place for any vulnerabilities, out of date systems or even human error.
Policy Documentation including Risk Assessments – All individuals that are accessing the cardholder data should have their details logged in.
There should be a policy in-writing that details all the steps that need to be taken before and after accessing cardholder data for official purpose. The way the information is accessed, stored and used needs to be documented as well.
There are several benefits of this certification, not the least of which is an international standardization of your data management and security practices.
Helps secure your system and assures your customers
Boosts market perception of your brand by giving you an edge over competitors
Helps you safeguard all customer data in the best possible fashion while keeping updated with possible solutions for any new vulnerabilities
Improves overall IT infrastructure efficiency
This standard applies to all entities that are dealing with card payments, be it merchants, financial institutions or service providers. This standard is also applicable to businesses, organizations and companies that are dealing with sensitive card details and the financial information of customers.