What is PCI DSS?
PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data.
PCI DSS have combined five different programs started by card companies:
- Visa’s Cardholder Information Security Program
- MasterCard’s Site Data Protection
- American Express’s Data Security Operating Policy
- Discover’s Information Security and Compliance
- the JCB’s Data Security Program
What is Cardholder Data and Sensitive Authentication Data
The goal of the PCI Data Security Standard (PCI DSS) is to protect cardholder data and sensitive authentication data wherever it is processed, stored or transmitted. The security controls and processes required by PCI DSS are vital for protecting all payment card account data, including the PAN – the primary account number printed on the front of a payment card. Merchants, service providers, and other entities involved with payment card processing must never store sensitive authentication data after authorisation. This includes the 3- or 4- digit security code printed on the front or back of a card, the data stored on a card’s magnetic stripe or chip (also called “Full Track Data”) – and personal identification numbers (PIN) entered by the cardholder.
Read more on PCI DSS Council website at:
PCI DSS Requirements
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update antivirus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
PCI DSS Levels and compliance validation
Level 1. Over 6 million transactions annually
Every year:
• File a Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)” or Internal Auditor if signed by officer of the company.
• Submit an Attestation of Compliance (“AOC”) Form.
Every quarter:
• Conduct a quarterly network scan by an Approved Scan Vendor (“ASV”).
Level 2. 1 to 6 million transactions annually
Every year:
• Complete a Self-Assessment Questionnaire (“SAQ”).
• Submit an Attestation of Compliance (“AOC”) Form.
Every quarter:
• Conduct a quarterly network scan by an Approved Scan Vendor (“ASV”).
Level 3. 20,000 to 1 million transactions annually
Every year:
• Complete a Self-Assessment Questionnaire (“SAQ”).
• Submit an Attestation of Compliance (“AOC”) Form.
Every quarter:
• Conduct a quarterly network scan by an Approved Scan Vendor (“ASV”).
Level 4. Less than 20,000 transactions annually
Every year:
• Complete a Self-Assessment Questionnaire (“SAQ”).
• Submit an Attestation of Compliance (“AOC”) Form.
Every quarter:
• Conduct a quarterly network scan by an Approved Scan Vendor (“ASV”) (if applicable).
Prioritised Approach to PCI DSS compliance
Follow these pragmatic steps to allow “quick wins”:
- Remove sensitive authentication data and limit data retention.
- Protect systems and networks, and be prepared to respond to a system breach.
- Secure payment card applications.
- Monitor and control access to your systems.
- Protect stored cardholder data.
- Finalise remaining compliance efforts, and ensure all controls are in place.
How we may help
As a management consulting company we may help you to achieve PCI DSS compliance and implement best practices in payments data protection through:
- mapping data flows
- identifying and limiting PCI DSS perimeter
- consulting on ASV and QSA engagements
- providing transformation capacity and leadership on gaps fixing
- creating internal policies and procedures
- reviewing payment processing agreements
- conducting awareness and knowledge testing programmes
- building efficient organisational structures (roles and responsibilities)
- implementing best practices in third-parties risk management (enterprise risk)