What is PCI-DSS?

Payment Card Industry Data Security Standard

PCI-DSS (sometimes shortened to PCI) stands for Payment Card Industry Data Security Standard.

The History of PCI-DSS

As the popularity of credit card use increased, card networks saw a need to enact security measures to protect consumer data. Before 2006, there were five versions of network security programs.

  • Cardholder Information Security Program (Visa)
  • Site Data Protection (MasterCard)
  • Data Security Operating Policy (American Express)
  • Information Security and Compliance (Discover)
  • Data Security Program (Japan Credit Bureau)

Each of the five programs has similar intent, so in 2006, the Payment Card Industry council was formed to systematize regulations. PCI-DSS was released, and this standard has been in place ever since.

PCI-DSS Goals and Objectives

PCI-DSS is a set of regulations, created to ensure all entities responsible for processing, storing or transmitting credit card information maintain a secure environment.

The Payment Card Industry has developed 12 compliance requirements, broken up into six control objectives.

Control Objectives Compliance Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program 5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy 12. Maintain a policy that addresses information security for all personnel

A business that is PCI compliant agrees to adhere to these security requirements. These standards help protect sensitive personal information associated with credit card transactions.


35 Simple Steps to Preventing More Chargebacks

Download our FREE guide that outlines 35 step-by-step effective chargeback prevention techniques. Learn insider secrets that will reduce your risk of chargebacks, increase your profits and ensure your business's longevity.


PCI Compliance vs. Validation

PCI-DSS must be implemented by all entities that deal with cardholder data. However, not every entity is required to validate compliance. What entities must comply or validate?

Banking Institutions

Issuing banks must comply with PCI-DSS standards for securing cardholder data, but they are not required to go through validation.

Acquiring banks must comply with the standards, as well as validate their compliance with an audit.

Merchants

All merchants and service providers utilizing the Visa and MasterCard networks are required to comply with PCI-DSS.

There are different levels of compliance and validation required, depending on the volume of card transactions that are processed. PCI-DSS compliance is an ongoing process. As a business grows and expands, it will have different compliance requirements.

Classification Level Merchant Characteristics Compliance Requirements
Level 1 Merchants who process more than 6 million Visa, MasterCard, or Discover transactions, or more than 2.5 million American Express transactions annually Annual onsite assessment conducted by a third-party vendor; quarterly scans
Level 2 Merchants who process between 1 and 6 million Visa, MasterCard, or Discover transactions, or between 50,000 and 2.5 million American Express transactions annually Annual self-assessment; quarterly scans
Level 3 Merchants who process between 20,000 and 1 million Visa, MasterCard, or Discover transactions, or less than 50,000 American Express transactions annually Annual self-assessment; quarterly scans
Level 4 Merchants who process less than 20,000 Visa, MasterCard, or Discover transactions annually Annual self-assessment; annual scans

Criticisms of PCI-DSS

The PCI-DSS is not without its critics. Opponents of the standards assert that they present unwieldy and burdensome requirements which are difficult and expensive to meet. Others insist that the standards are little more than money-making scheme for credit card associations, offering nothing more than a means to levy fines for implied infractions.

In contrast, PCI-DSS supporters maintain that the standards are a valid method of ensuring cardholder security, if only by making entities aware of the need for increased IT security.

The Future of Credit Card Security

With an increasing dependence on credit card networks, there will always be a need for cardholder security. Fraud and identity theft are expensive crimes for both the cardholder and the merchant.

Even with PCI-DSS compliance attempts, merchants are still susceptible to data breaches. As long as there are hackers actively engaged in separating consumers from their hard-earned money, there will continue to be a risk of credit card fraud, unauthorized transactions, and the resulting chargebacks.

If you’d like more information on incorporating chargeback management into data security solutions, let us know.


Prevent Chargebacks.

Fight Fraud.

Recover Revenue.

Oct 8, 2015   1350      Chargeback Terminology    
Total 1 Votes:
0

Tell us how can we improve this post?

+ = Verify Human or Spambot ?

Ask a Question

Receive a notification when your requested topic is added to the knowledge base.

+ = Verify Human or Spambot ?


Pin It on Pinterest