Payment Card Industry Data Security Standard
The History of PCI-DSS
As the popularity of credit card use increased, card networks saw a need to enact security measures to protect consumer data. Before 2006, there were five versions of network security programs.
- Cardholder Information Security Program (Visa)
- Site Data Protection (MasterCard)
- Data Security Operating Policy (American Express)
- Information Security and Compliance (Discover)
- Data Security Program (Japan Credit Bureau)
Each of the five programs had similar intent, so in 2006, the Payment Card Industry council was formed to systematize regulations. PCI-DSS was released, and has been the standard ever since.
We Protect Your Data.
We also reduce chargebacks and increase revenue. Learn more now.
PCI-DSS Goals and Objectives
PCI-DSS is a set of regulations, created to ensure all entities responsible for processing, storing or transmitting credit card information maintain a secure environment.
The Payment Card Industry has developed 12 compliance requirements, broken up into six control objectives.
|Control Objectives||Compliance Requirements|
|Build and maintain a secure network||1. Install and maintain a firewall configuration to protect cardholder data|
|2. Do not use vendor-supplied defaults for system passwords and other security parameters|
|Protect cardholder data||3. Protect stored cardholder data|
|4. Encrypt transmission of cardholder data across open, public networks|
|Maintain a vulnerability management program||5. Use and regularly update anti-virus software or programs|
|6. Develop and maintain secure systems and applications|
|Implement strong access control measures||7. Restrict access to cardholder data by business need-to-know|
|8. Assign a unique ID to each person with computer access|
|9. Restrict physical access to cardholder data|
|Regularly monitor and test networks||10. Track and monitor all access to network resources and cardholder data|
|11. Regularly test security systems and processes|
|Maintain an information security policy||12. Maintain a policy that addresses information security for all personnel|
A business that is PCI compliant agrees to adhere to these security requirements. These standards help protect sensitive personal information associated with credit card transactions.
PCI Compliance vs. Validation
PCI-DSS must be implemented by all entities that deal with cardholder data. However, not every entity is required to validate compliance. What entities must comply or validate?
Issuing banks must comply with PCI-DSS standards for securing cardholder data, but they are not required to go through validation.
Acquiring banks must comply with the standards, as well as validate their compliance with an audit.
All merchants and service providers utilizing the Visa and MasterCard networks are required to comply with PCI-DSS.
There are different levels of compliance and validation required, depending on the volume of card transactions that are processed. PCI-DSS compliance is an ongoing process. As a business grows and expands, it will have different compliance requirements.
|Classification Level||Merchant Characteristics||Compliance Requirements|
|Level 1||Merchants who process more than 6 million Visa, MasterCard, or Discover transactions, or more than 2.5 million American Express transactions annually||Annual onsite assessment conducted by a third-party vendor; quarterly scans|
|Level 2||Merchants who process between 1 and 6 million Visa, MasterCard, or Discover transactions, or between 50,000 and 2.5 million American Express transactions annually||Annual self-assessment; quarterly scans|
|Level 3||Merchants who process between 20,000 and 1 million Visa, MasterCard, or Discover transactions, or less than 50,000 American Express transactions annually||Annual self-assessment; quarterly scans|
|Level 4||Merchants who process less than 20,000 Visa, MasterCard, or Discover transactions annually||Annual self-assessment; annual scans|
Criticisms of PCI-DSS
The PCI-DSS is not without its critics. Opponents of the standards assert that they present unwieldy and burdensome requirements which are difficult and expensive to meet. Others insist that the standards are little more than money-making scheme for credit card associations, offering nothing more than a means to levy fines for implied infractions.
In contrast, PCI-DSS supporters maintain that the standards are a valid method of ensuring cardholder security, if only by making entities aware of the need for increased IT security.
The Future of Credit Card Security
With an increasing dependence on credit card networks, there will always be a need for cardholder security. Fraud and identity theft are expensive crimes for both the cardholder and the merchant.
Even with PCI-DSS compliance attempts, merchants are still susceptible to data breaches. As long as there are hackers actively engaged in separating consumers from their hard-earned money, there will continue to be a risk of credit card fraud, unauthorized transactions, and the resulting chargebacks.
If you’d like more information on incorporating chargeback management into data security solutions, let us know.