The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment. Read the PDF to know more!
1. PCI Compliance and why is it important?
What is PCI Compliance and who does it apply to?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards
designed to ensure that ALL companies that accept, process, store or transmit credit card
information maintain a secure environment.
The PCI DSS applies to every organization irrespective of size or number of transactions, that
accepts, transmits or stores any cardholder data.
The 4-Merchant Compliance Levels
There are 4-merchant compliance levels sorted on the basis of VISA transaction volume over
a 12-month period.
Merchant levels are defined as:
1. Level 1 – Any merchant — irrespective of acceptance channel — processing over 6
million transactions per year.
2. Level 2 – Any merchant — irrespective of acceptance channel — processing between
1 million to 6 million transactions per year.
3. Level 3 – Any merchant — irrespective of acceptance channel — processing between
20,000 to 1 million transactions per year.
4. Level 4 – Any merchant — irrespective of acceptance channel — processing less than
20,000 transactions per year.
2. The 12 requirements for PCI DSS Compliance
1. Installing and Maintaining Firewalls
Firewalls ensure that attempts by foreign entities to access private data remains blocked.
2. Password Protection and Avoiding Generic Passwords
Vendor supplied generic passwords are not permissible. It is mandatory to maintain an
inventory of all the systems, configuration/hardening procedures.
3. Protection of Cardholder Data
Card data must be encrypted with industry accepted algorithms. Along with card data
encryption, this requirement also needs a PCI DSS encryption key management
process.
4. Encryption of Transmitted Cardholder Data
The card data must be secured when it is transmitted over an open or public network.
5. Using and Updating Anti-Virus Software
Anti-virus or anti-malware programs should be installed to detect known malware. It is
important to maintain an update anti-malware program.
6. Maintaining Updates of Software
All software involved in maintaining security and other necessary allied services must
be often updated. Security patches if any should be installed immediately to fix
vulnerability.
7. Restricting Access to Cardholder Data
The concept of need-to-know needs to be used here. Third parties, staffs, etc., who do
not require access to data should not be given access to such data.
8. Unique Access ID
For individuals with access to the cardholder data, every individual must have a unique
access ID in order to decrease vulnerability.
9. Physical Restrictions to Cardholder Data
Cardholder data must be kept in a secured physical location. Surveillance and log
should also be maintained so as to ensure security on who has access to such data.
10. Maintaining Access Logs to Cardholder Data
An access log must be maintained at all times for any activity on cardholder data and
primary account numbers.
11. Test System for Vulnerabilities
Malfunctions, out of date software and human errors must be checked regularly so as
to ensure a fool proof system.
3. 12. Policy Documents
All the above pointers can only be suitably implemented if proper documentations for
each of them are maintained, right from access logs to all the compliances.
Conclusion
PCI compliance is essential and a necessity. It is mandatory for anyone who is processing card
and obtaining or storing information of any card holder. It is automatically stated that one will
adhere to PCI DSS when they sign up with payment processing companies.
Originally published: https://bit.ly/3I5LAcu