Businesswoman talking on a cell phone
The Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines and best practices provided to all companies and other entities that process, transmit, or store credit card data. These guidelines were developed by the PCI Security Standards Council (PCI SSC) and are intended to prevent data leaks and subsequent identity theft and credit card fraud. There are three ongoing phases involved in PCI DSS compliance: assess business processes and identify potential risks, remediate those risks, and report compliance efforts to relevant banks and other credit card issuers.
Compliance with the Paramount Payment Card Industry Data Security Standard is the creation and maintenance of a secure computer network. A strong firewall must be built between cardholder data and external network access. System passwords should be implemented along with other security measures at each potential point of vulnerability in the network. All cardholder data must be stored securely and, when transmitted over public networks, must be encrypted. Ongoing measures include the use of anti-virus software and restricted physical or computer access to data by staff based on a business need to know.
There are numerous tools and services available to help organizations deal with PCI DSS. While the PCI SSC sets the standards for PCI compliance, all major credit card brands have created their own standards regarding enforcement and compliance with these standards, as well as credit card validation procedures. Each of these companies offers online and other guidance to organizations that accept their cards. PCI SSC also operates a program that approves qualified security assessors who validate compliance with the Payment Card Industry Data Security Standard. For organizations that self-assess their compliance, PCI SSC provides validation tools called Self-Assessment Questionnaires in various forms, each tailored to specific business environments.
A key premise for complying with the payment card industry data security standard is to store only credit card data that is essential to the organization’s needs. Stored data must be subject to time limits and transaction authentication data must never be stored. All account numbers and other sensitive data transmitted over public networks must be partially masked.
Other ongoing PCI DSS measures include the creation and maintenance of a vulnerability management program that creates secure applications and programs. Routine monitoring and network tests are also required to identify weaknesses. Each organization must also maintain and distribute a written security policy to all personnel.