The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. The PCI DSS is a global standard and applies to any organization, regardless of size or number of transactions, that accepts, transmits, or stores any cardholder data.
Established by the major credit card brands (Visa, MasterCard, American Express, Discover, and JCB), the standard aims to protect against fraud through increased controls around cardholder data. Compliance with PCI DSS means that an organization is taking the necessary steps to protect their payment systems from breaches and theft of cardholder data.
The PCI DSS specifies twelve requirements for compliance, organized into six control objectives, relating to the protection of cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regular monitoring and testing of networks, and maintaining an information security policy.
The requirements include but are not limited to:
- Installing and maintaining a firewall configuration to protect cardholder data.
- Not using vendor-supplied defaults for system passwords and other security parameters.
- Protecting stored cardholder data.
- Encrypting transmission of cardholder data across open, public networks.
- Using and regularly updating antivirus software.
- Developing and maintaining secure systems and applications.
- Restricting access to cardholder data by business need-to-know.
- Assigning a unique ID to each person with computer access.
- Restricting physical access to cardholder data.
- Tracking and monitoring all access to network resources and cardholder data.
- Regularly testing security systems and processes.
- Maintaining a policy that addresses information security.
Failure to comply with PCI DSS can result in hefty fines from credit card companies and banks and can severely damage an organization’s reputation among clients, potentially leading to lost business.