Ace Your Exams with Our Notes and Mock Tests!

Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard is an information security standard used to handle credit cards of major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by card brands. The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. PCI DSS was designed to prevent cybersecurity breaches of sensitive data and reduce the risk of fraud for organizations that handle payment card information.

PCI DSS is not a law or legal regulatory requirement. However, it is often part of contractual obligations businesses that process and store credit, debit and other payment card transactions adhere to. Contractually obligated organizations must meet the requirements of PCI DSS to establish and maintain a secure environment for their clients.

PCI DSS was created in 2004 by five major credit card companies: Visa, Mastercard, Discover, JCB and American Express. The Payment Card Industry Security Standards Council (PCI SSC) developed the guidelines for PCI DSS.

What are the 6 principles of PCI DSS?

The PCI Security Standards Council (PCI SSC) has created six major goals for PCI DSS:

1. Build and maintain a secure network and systems. Credit card transactions must be conducted in a secure network. The security infrastructure should include firewalls that are strong and complex enough to be effective without causing inconvenience to cardholders or vendors. Specialized firewalls are available for wireless local area networks, which are highly vulnerable to eavesdropping and malicious attacks. Vendor-provided authentication data, such as personal identification numbers and passwords, should not be used on an ongoing basis.

2. Protect cardholder data. Organizations adhering to PCI DSS must protect cardholder information wherever it‘s stored. Repositories with vital data, such as birthdates, mothers‘ maiden names, Social Security numbers, phone numbers and mailing addresses, must be secure. The transmission of cardholder data through public networks must be encrypted.

3. Maintain a vulnerability management program. Card services organizations must institute risk assessment and vulnerability management programs that protect their systems from the activities of malicious hackers, such as spyware and malware. All applications should be free of bugs and vulnerabilities that might enable exploits in which cardholder data could be stolen or altered. Software and operating systems must be regularly updated and patched.

4. Implement strong access control measures. Access to system information and operations should be restricted and controlled. Every person who uses a computer in the system must be assigned a unique and confidential identification name or number. Cardholder data should be protected physically, as well as electronically. Physical protection can include the use of document shredders, limits on document duplication, locks on dumpsters and security measures at the point of sale.

5. Regularly monitor and test networks. Networks must be regularly monitored and tested to ensure security measures are in place, functioning properly and up to date. For example, antivirus and antispyware programs should be provided with the latest definitions and signatures. These programs frequently scan all exchanged data, applications, RAM and storage media.

6. Maintain an information security policy. A formal information security policy must be defined, maintained and followed by all participating entities. Enforcement measures, such as audits and penalties for noncompliance, might be necessary.