Payment Card Industry Data Security Standard (PCI DSS) is a standard designed by five credit card companies to create a uniform standard for how payment card data is secured and managed. The resulting standardization institution is called the PCI Security Standards Council (PCI SSC). Other PCI security standards include the PCI PIN Transaction Security requirements, the Payment Application Data Security Standard, and the PCI Point-to-Point Encryption Standard.
Here are three ongoing steps to complying with the PCI DSS: assess, repair, and report.
Assess, businesses must evaluate their methods for handling payment card information. First, they should recognize where cardholder data (CHD) is kept. Then they should record their IT assets as well as what their way to processing payment cards is. With that data, the organization can analyze the system for vulnerabilities.
With the analysis done, an organization can repair the vulnerabilities and move ahead with enhanced business processes.
Finally, an organization should document the assessment process it conducted and how it fixed any issues. This report can then be presented to the bank and credit card companies the organization does business with.
PCI DSS Requirements
There are twelve requirements in the standard, as found in the PCI DSS v3.2.1 document here. Some of the requirements have many subsegments that give further data on how to comply with PCI DSS. The requirements are divided into six categories:
Build and maintain a secure network and systems
Protect cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy
The PCI DSS was designed to drive uniformity in how organizations secure their customers’ payment data. There are four pillars to how the PCI SSC works towards expanding the adoption of the PCI DSS and associated standards.
First is to collect industry participation so that the standards adequately address the needs and challenges of the industry.
Second is to support a variety of standards and validation programs so several methods can be used to meet standards. This is seen with subsegments to each element offering options to meeting the requirements. For example, there are many ways to achieve multi-factor authentication or to obscure primary account numbers.
Third is to be aware of developing payment options to have security standards for the new options as soon as possible. The examples the PCI Security Standards website offers are payments through mobile and Internet of Things (IoT) devices.
Finally, the PCI SSC aligns its standards with other industry standards to avoid repetition and reduce the implementation process.