Payment Card Industry Data Security Standard (PCI-DSS)

PCI-DSS ( Payment Card Industry Data Security Standard ) is a set of security standards created by major payments brands to protect card holder data from theft and frauds.It applies to all the businesses that store, process , or transmit credit and debit card information . It is administered by the PCI-SSC (Payment Card Industry Security Standards Counsil).

12 Requirements of PCI-DSS

PCI DSS outlines 12 requirements, grouped into six control objectives, to protect cardholder data.

Build and maintain a secure network

• Use Network security controls like firewall.
• Avoid vendor-supplied defaults for passwords and security parameters.

Protect Card holder Data 

• Protect stored cardholder data, for example, by encrypting or masking the Primary Account Number (PAN).
•  Encrypt cardholder data during transmission over public networks.

Maintain a vulnerability management program

• Protect systems and networks against malicious software and keep antivirus updated.
• Develop and maintain secure systems and software through patches and secure coding.

Implement strong access control measures

• Restrict access to cardholders data based on a business.
• Identify and authenticate users , accessing system components.
• Restrict physical access to card holder data.

Regularly monitor and test networks

• Log and monitor access to network resources and cardholder data.
• Regularly test security systems and processes, including penetration tests and vulnerability scans.

Maintain an information security policy

• Establish and maintain an information security policy for all personnel.

4 Merchant Levels for PCI-DSS Compliance

• Level 1 : Over  6 million trasactions.
• Level 2 : 1 million to 6 million trasactions.
• Level 3 : 20,000 to 1 million trasactions.
• Level 4 : Less than 20,000 trasactions.

Types of PCI Compliance groups

PCI-SSC : Formed by major credit cards brands (Visa , Master card , American Express , Discover , JCB) the council is responsible for establishing and maintaining standards for protection of card holder data.

Merchants : Businesses or organizations that collect, store or process cardholder data and are responsible for PCI DSS adherence are merchants.

Service Providers : Organizations that handle cardholder data on behalf of merchants are service providers. 

Card issuers and Merchant banks : Card issuers/ card brands issue payment cards to customers while merchant banks are financial institutions that facilitate payment acceptance on behalf of merchants.

QSAs : Qualified security assessors are certified PCI compliance assessors who conduct assessments for merchants or service providers.

ASVs : Approved scanning vendors are organisations qualified by PCI SSC for conducting vulnerability scans for merchants or service providers.

Components of PCI-DSS

Handling card data securely :  Ensuring sensitive card details are collected and transmitted in a secure manner using secure transmission methods.

Secure storage of card Data (minimum standard) : Adhering to the 12 security domains of PCI DSS for securely storing cardholder data. 

Annual validation of security controls : Validation includes self-assessment questionnaires (SAQs), external vulnerability scanning, and third-party audits.

Maintaining PCI Compliance : Continuously maintaining compliance with PCI DSS standards by implementing and adhering to security policies, procedures, and controls outlined by the PCI Security Standards Council.

PCI-DSS 4.0 April 2024 Updates

Requirement 3 : Clarifications for issuers and those supporting issuing services, with added flexibility for organizations using specific cryptographic methods to secure PANs.

Requirement 6 : Returned to v3.2.1 language focusing on patching critical vulnerabilities; clarified managing payment page scripts.

Requirement 8 : Noted exceptions for non-admin access into cardholder data environment (CDE), allowing phishing-resistant authentication for user accounts. 

Requirement 12 : Updated notes on costomer -TPSP relationship for clarity.

How to Achieve Compliance

Step 1 : Assess 

• Determine your PCI level.
• Scope your cardholder data environment (CDE).
• Conduct a gap analysis

Step 2 : Remediate

• Based on your gap analysis, implement the necessary security measures to meet all 12 PCI DSS requirements.

Step 3 : Report

• Complete the required documentation like Self-Assessment Questionnaire (SAQ) and Report on Compliance (ROC).
• Conduct quarterly scans.
• Submit your completed documentation, along with an Attestation of Compliance (AOC), to your acquiring bank or payment provider.