The term PCI stands for Payment Card Industry, and we all are quite familiar with the different types of credit card / payment solution companies available, like Master Card, PayPal, and Visa etc. This article will further discuss how these companies manage their security of card holders’ data.
These companies run under the standards of PCI DSS, which stands for Payment Card Industry Data Security Standard. According to these standards, the information of card holders are to be kept secured.
History of PCI DSS
There are Five programs:
1. American Express’ Data Security Operating Policy
2. Discover’s Information Security and Compliance
3. JCB’s Data Security Program
4. Master Card’s Site Data Protection
5. Visa’s Card holder Information Security Program
They were initiated by these credit card companies.The intention of each company was nearly the same; and that was, to develop an additional layer of protection for card holders and card issuers, by making sure that merchants meet the minimum levels of security when processing, storing and transmitting credit card data.
These same ideas led to the formation of the Payment Card Industry Security Standards Council (PCI SSC), and the companies combined their policies to create the PCI DSS.
There have been a number of versions of the PCI DSS up till now, with the first version 1.0 released on 15 December 2015 and the latest version 3.2,launched in April 2016.
Why there’s a need for PCI DSS
The PCI DSS was developed to limit credit card fraud. PCI Compliance is however more about security, than compliance. The objective of PCI Compliance is to confirm that security standards are met when processing customer payments, as well as for customer data management.
Verification of PCI Compliance is checked annually by a QSA (Qualified Security Assessor), who creates a ROC (Report on Compliance). Although this is generally for companies handling millions of transactions, companies with less volume are only required to fill in a (SAQ) Self-Assessment Questionnaire as the means of reporting PCI Compliance.
The PCI DSS set up twelve requirements for PCI Compliance, which are organized into six groups known as Control Objectives. Every single version of the PCI DSS has categorized these twelve requirements differently, into an amount of sub requirements; but still the twelve main requirements have not been altered from the time of the standard’s inception.
Objectives and Requirements:
1. Develop and manage a secure network
I. Setup and uphold a firewall configuration to protect data of the card holder.
ii. Don’t use vendor-supplied defaults as system passwords nor for other security line ups.
2. Keep Cardholders’ Data protected
iii. Protect the stored data of card holder.
iv. Convert the card holders’ data of the card into codes across open and public networks.
3. Maintain the vulnerability of management program
v. Use and update antivirus regularly on the system getting most likely affected by malware.
vi. Build and maintain only secure systems and applications.
4. Use strong data admission control
vii. Restrict the businesses from accessing the cardholders’ data.
viii. Provide a unique access ID to every user with computer access.
ix. Restrict access to cardholders’ data physically.
5. Monitor and test networks regularly
x. Keep a track of the access to cardholders’ data and network resources.
xi. Test the security processes and systems regularly.
6. Keep the Information security policy maintained