What is PCI DSS?
The Payment Card industry data security (PCI DSS), was unfolded to encourage and enhance card holder data security and to felicitate the broad option of consistent data security measures globally.
It applies to all the service providers and merchants that process, transmit or store cardholder data. If any organisation handles card payments, it must comply or risk suffering financial penalties or even the withdrawal of the facility to accept card payments.
The PCI DSS was launched in 2004 and is the result of collaboration between the major credit card brands, Amex, Discover, JCB, MasterCard and Visa.
Not really every one will get penalized if not PCI DSS complaint as it’s a standard not a law. It is enforced through contracts between merchants, acquiring banks and payment brands.
The PCI DSS specifies 12 requirements that are organised into six control objectives.
1. Build and maintain a secure network
-
Manage event logs that combine data from various sources safely.
-
Do not use vendor-supplied defaults for system passwords and other security parameters.
2. Protect cardholder data
-
Do not use vendor supplied defaults for system passwords, and other security parameters. Protect stored cardholder data.
-
Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Maintain a Vulnerability management programme
-
Use and regularly update anti-virus software or programs.
-
Develop and maintain secure systems and applications.
4. Implement strong access control measures
-
Restrict access to cardholder data by business need-to-know.
-
Assign a unique ID to each person with computer access.
-
Restrict physical access to cardholder data.
5. Regularly monitor and test networks
-
Track and monitor all access to network resources and cardholder data.
-
Regularly test security systems and processes.
6. Maintain an information security policy
-
Maintain a policy that addresses information security for employees and contractors.
Failure to Maintain Security Controls
Compliance with the standard is notoriously complicated and many organisations fail to maintain their compliance. Verizon’s 2018 payment security report found that nearly half (47.5%) of organisations it assessed for interim PCI-DSS compliance had failed to maintain all security controls.
Organisations are classified in one of four levels, depending on the volume of payment card transactions they process.
PCI-DSS is a continuous process which consists of three primary steps
-
Identification and analysis of all IT assets, business processes and locations used in storing processing and transmitting cardholder data for vulnerabilities.
-
All, identified vulnerabilities must be remediated and may include the implementation or change of systems, business processes and business partners.
-
Your state of compliance must be documented in a report of compliance, ROC, or a self assessment questionnaire, SAQ, depending on the PCI-DSS level.
SAQ
-
SAQ (Self assessment Questionnaire) has been developed to address requirements applicable to merchants whose cardholder data functions are completely outsourced to validated third parties, where the merchant retains only paper reports or receipts with cardholder data.
-
A merchant may be either e-commerce or mail/telephone-order merchants (card-not-present), and do not store, process, or transmit any cardholder data in electronic format on their systems or premises.
-
A merchants confirm that, for this payment channel: Your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions;
-
All payment acceptance and processing are entirely outsourced to PCI DSS validated third-party service providers;
-
Your company has no direct control of the manner in which cardholder data is captured, processed, transmitted, or stored.
-
Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions.
-
Your company has confirmed that all third party(s) handling acceptance, storage, processing, and/or transmission of cardholder data are PCI DSS compliant.
-
Your company retains only paper reports or receipts with cardholder data, and these documents are not received electronically.
Additionally, the attestation of compliance, AOC has to be completed by a qualified security assessor or by the merchant if the internal audit performs the validation.
The AOC is a declaration of the merchant or service provider’s compliance status with the PCI data security standard.
Penalties For Non Compliance:
Enforcement of compliance with PCI- DSS and any non-compliance penalties are carried out by the individual credit card payment brands. Entities may also suffer from diminished sales, fraud, losses and legal costs associated with the breach of cardholder data.