What Does It Mean to be PCI DSS Compliant?

PCI DSS is a cybersecurity standard backed by all the major credit card and payment processing companies that aim to keep credit and debit card numbers safe. PCI DSS stands for Payment Card Industry Data Security Standard. The standard, which is administered by the Payment Card Industry Security Standards Council, establishes cybersecurity controls and business practices that any company that accepts credit card payments must implement. Companies can demonstrate that they've implemented the standard by meeting the reporting requirements laid out by the standard; those organizations that fail to meet the requirements, or who are found to be in violation of the standard, may be fined.

The PCI Security Standards Council was designed by these industry players to make sure that transactions concerning credit card numbers are as secure as possible.

PCI DSS applies to "any item that stores, processes, and/or transmits cardholder data," which implies that any company that accepts credit card payments — which is to say, any virtually any company that sells anything or receives donations — must comply to the standard.

When retailers sign a contract with a payment processor, they consent to be subject to fines if they fail to keep PCI DSS compliance. Fines can vary from payment processor to payment processor and are greater for companies with a higher volume of payments. Fines are assessed per month of non-compliance and the per-month charge increases for longer periods, so a business might pay $5,000 a month if they're out of compliance for three months, but $50,000 a month if they go as long as seven months. Also, fines ranging from $50 to $90 can be forced for each customer who's affected in some way by a data breach.

Requirements of PCI DSS

The PCI DSS standard sets out 12 basic requirements for merchants:

  1. Install and keep a firewall configuration to protect cardholder data.

  2. Do not use vendor-supplied defaults for system passwords and other security parameters.

  3. Guard stored cardholder data.

  4. Encrypt device of cardholder data across open, public networks.

  5. Use and frequently update anti-virus software.

  6. Improve and maintain secure systems and applications.

  7. Limit access to cardholder data by business need-to-know.

  8. Designate a unique ID to each person with computer access.

  9. Limit physical access to cardholder data.

  10. Track and control all access to network resources and cardholder data.

  11. Always test security systems and processes.

  12. Keep a policy that addresses information security.

DSS compliance comes from adhering to the responsibilities laid down by these requirements in the way best suited to your company, and the PCI Security Standards Council gives you the tools to do so. The process goes like this:

  1. Define your organization's PCI DSS level. Companies are divided into levels based on how many credit card transactions they manage annually.

  2. Complete a self-assessment questionnaire. These are accessible from the PCI Security Standards Council website, and there are several questionnaires tailored to how different companies communicate with credit card data.

  3. Create a secure network. The answers you give on your questionnaire will tell any weak spots in your credit card infrastructure and requirements you fail to meet and will help you in filling those holes.

  4. Formally attest your compliance. An AOC (attestation of compliance) is the form you use to indicate that you've achieved PCI DSS compliance. Completing your questionnaire with no "wrong" answers means that you're ready to go.

Source: CSO