Overview : How to meet the latest payment card industry data security standards
If your organization processes card transactions, protecting this sensitive data is essential. Not adhering to payment security standards can mean that your organization gets fined – and your reputation could be seriously damaged. However, implementing the complex set of controls to achieve compliance with the most current Payment Card Industry Data Security Standards (PCI DSS) can put additional pressure on your organization.
As market leaders for managed security and managed assessment services, Our system can help your organization to understand and implement the technical and operational controls to meet PCI requirements.
What is PCI DSS?
The PCI DSS is a minimum list of technical and organizational requirements. They are intended to assist businesses with reasonable payment security to protect customers’ cardholder data from fraud. All businesses that accept or process credit card payments must undergo an annual PCI DSS audit of their security controls and processes, covering critical data security components such as retention, encryption, physical security, authentication and access management. The PCI DSS is enforced by the founding members of the PCI Council; American Express, Discover Financial Services, JCB, MasterCard and Visa Inc. The penalty for a business who is flagged as not meeting reasonable payment security standards, or shows no effort in achieving compliance, could be a monetary fine.
Who does PCI DSS apply to?
The PCI DSS applies to all organizations that store, process, and/or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). Examples of organizations that fall into this category include merchants, processors, acquirers, issuers, and service providers.
Organizations that outsource payment operations assume responsibility over all account data they process and must ensure that contracted third parties are adequately protecting this data.
PCI DSS frequently asked questions
PCI DSS applies to all organizations, including merchants and service providers, that store, process, and/or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
Cardholder data includes: Primary Account Number, Cardholder Name, expiration date, and service code.
Sensitive authentication data includes full track data (the magnetic stripe data or equivalent on a chip) and CAV, CVC, CVV and CID numbers, PINS and PIN blocks.
Under PCI DSS, merchants and service providers are allowed to store cardholder data. Some acquirers may permit storage of sensitive authentication data but only under specific requirements with respect to use and protection, and only before payment authorization.
All system components in, or connected to, an organisation's cardholder data environment (CDE) have PCI DSS security requirements. The CDE includes all people, processes and technologies involved in the storage, processing or transmission of cardholder and sensitive authentication data.
PCI DSS can apply to the whole organisation, or a subset of it where the CDE has been properly compartmentalized. System components in scope include network devices, servers, computing devices, and applications.
A merchant is defined as any entity that provides payment cards from any of the five founding members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard or Visa) as consideration for the purchase of goods and/or services.
Service Provider means any entity other than a payment brand that is engaged in one or more of the processing, storage, or transmission of cardholder data. If an organization provides a service that only allows for public internet network access (for example, a telecommunications company providing a link in its communication facilities) that organization is not considered a service provider.
Note: A merchant can also be a service provider where it stores, processes or transmits cardholder data on behalf of other merchants or service providers.
