What is PCI DSS?
The Payment Card industry data security (PCI DSS), was unfolded to encourage and enhance card holder data security and to felicitate the broad option of consistent data security measures globally.
It applies to all the service providers and merchants that process, transmit or store cardholder data. If any organisation handles card payments, it must comply or risk suffering financial penalties or even the withdrawal of the facility to accept card payments.
The PCI DSS was launched in 2004 and is the result of collaboration between the major credit card brands, Amex, Discover, JCB, MasterCard and Visa.
Not really every one will get penalized if not PCI DSS complaint as it’s a standard not a law. It is enforced through contracts between merchants, acquiring banks and payment brands.
The PCI DSS specifies 12 requirements that are organised into six control objectives.
1. Build and maintain a secure network
2. Protect cardholder data
3. Maintain a Vulnerability management programme
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy
Failure to Maintain Security Controls
Compliance with the standard is notoriously complicated and many organisations fail to maintain their compliance. Verizon’s 2018 payment security report found that nearly half (47.5%) of organisations it assessed for interim PCI-DSS compliance had failed to maintain all security controls.
Organisations are classified in one of four levels, depending on the volume of payment card transactions they process.
PCI-DSS is a continuous process which consists of three primary steps
Additionally, the attestation of compliance, AOC has to be completed by a qualified security assessor or by the merchant if the internal audit performs the validation.
The AOC is a declaration of the merchant or service provider’s compliance status with the PCI data security standard.
Penalties For Non Compliance:
Enforcement of compliance with PCI- DSS and any non-compliance penalties are carried out by the individual credit card payment brands. Entities may also suffer from diminished sales, fraud, losses and legal costs associated with the breach of cardholder data.