What is PCI DSS?

PCI DSS

Payment Card Industry (“PCI”) is a term which collectively defines the debit, credit, pre-paid, e-purse, ATM, POS, and overall payment industry.

PCI Data Security Standard (“DSS”) is a common set of security standards developed to protect cardholder information, reduce debit and credit card fraud, and identify security breaches, by the four major credit card companies – Discover, American Express, Visa, and MasterCard in June of 2005. Prior to this each card brand managed its own set of requirements, such as the MasterCard Site Data Protection (SDP) Program and the Visa Cardholder Information Security Program (CISP).

PCI is not a law. The PCI Security Standards Council does not manage compliance programs and does not impose any consequences for non-compliance.

PCI DSS is enforceable by the credit card companies through contractual penalties or sanctions that include revocation of the right to accept or process credit cards. Failure to comply will result in hefty fines, investigation costs, reimbursement, being barred from processing credit card transactions and/or face higher processing fees.

PCI Applicability:

Any company that stores, processes, or transmits credit card transactions, must be able to demonstrate that it is PCI DSS compliant. Organizations that must comply include: merchants, merchant acquirers, payment processors, payment gateways and hosting service solution providers.

PCI DSS requirements are applicable if a Primary Account Number is stored, processed, or transmitted. If a Primacy Account Number is not stored, processed or transmitted, PCI DSS requirements do not apply.

Level of compliance varies on the merchant transaction volume. The annual volume of credit card transactions that is stored, processed, or transmitted, as well as the point-of-sale location (e-commerce versus a physical store location) determine the actions needed to take to validate compliance with the PCI DSS.

Merchants that use a third party for cardholder transaction processing and do not store transaction data on systems are not subject to the audit requirements.

Integrated credit/debit being increasingly targeted at log files and centralized databases. SQL injection most common attacked method with remote VNC or PCAnywhere access.

PCI DSS is comprised of 12 core requirements (aka the “Digital Dozen”):

Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data.

2. Do not use vendor-supplied defaults for system passwords and security p.

Protect Cardholder Data
3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software.

6. Develop and maintain secure systems and applications.

Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.

Maintain an Information Security Policy
12. Maintain a policy that addresses information security.

For more information on PCI DSS compliance, visit https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

NOTICE - This information does not constitue legal advice and AM/PM does not represent itself as an expert in PCI matters. For an expert opinion, please consult an approved PCI advisor.

LIMITATION OF LIABILITY
UNDER NO CIRCUMSTANCES IS AM/PM LIABLE TO CUSTOMER FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL DAMAGES. DAMAGES INCLUDING BUT NOT LIMITED TO DAMAGES FOR PAYMENT TRANSACTIONS ERRORS OR OMMISSIONS (ARISING FROM DEBIT, CREDIT, GIFT CARD, PCI, INTERAC, CREDIT CARD COMPANY, CARDHOLDER COMPLIANCE ISSUES, AND OR PAYMENT DEVICE(S).