An overview of PCI DSS

You don’t have to look far to find news of a breach affecting payment card information. Breaches happen every day, largely due to cyberattacks or, more likely, to the loss, theft or careless handling of computers, USB drives, and paper files that contain unsecured payment data.

Once this data gets into the hands of a malicious actor, it can be used to commit fraud by making illicit purchases or money withdrawals. In response to increased threats to payment card data, the five major payment brands American Express, Discover, MasterCard, Visa, and JCB formed the Payment Card Industry Security Standards Council (PCI SSC) in 2004.

Their goal was to control the burgeoning levels of payment card fraud and to enhance payment card security. The PCI SSC developed the Payment Card Industry Data Security Standard (PCI DSS) as a detailed and comprehensive standard set of minimum security requirements for cardholder data. While PCI is not a law, any merchant or service provider that handles payment card data must meet PCI requirements in order to accept payment cards. The industry regulations took effect in June 2005 and apply to organizations all around the world.

PCI DSS is an actionable framework for building and maintaining security around covered entities payment system environments and the data they process and store. The payment card brands themselves enforce compliance with the security standard for the merchants and service providers that accept their branded forms of payment. Penalties for non-compliance vary – especially in the face of a breach – but can include fines, increased scrutiny of computer systems, potential suspension or expulsion from card processing networks, and liability for fraud charges and related costs.

What organizations PCI applies to?

PCI applies to all organizations or merchants, regardless of size or number of transactions, that accept, transmit, process or store any cardholder data. This includes companies or organizations that accept payment cards in person, online, over the phone, or on printed forms.

The extent to which an organization needs to implement, maintain, and verify PCI DSS controls depends on the number of card transactions it handles in a year. There are four “merchant levels,” ranging from Level 4, which includes organizations that process a very small number of transactions annually, to Level 1, which handles multiple millions of transactions or more each year. (The merchant level definitions vary by card brand.)

Encryption requirements for PCI DSS

PCI is one regulation that explicitly calls for encryption of cardholder data and the communication paths the data will travel over. PCI DSS is very specific and detailed about the required use of encryption in the cardholder data environment (CDE) as well as the proper rotation of encryption keys. Consult the document Requirements and Security Assessment Procedures, Version 3.1, April 2015 in the PCI Documents Library for full details.

Tokenization is another data masking technique that is commonly used for PCI compliance. Tokens are used in place of primary account numbers (PANs) in situations such as storing card-related information after a transaction is complete. Tokens provide the added benefit of reducing the CDE such that the annual PCI audit process is easier to complete.

Share This: