• About CSIA
  • Mission Statement
  • Committees
  • CSIA Team
  • CSIA Offices
• Board Members
• Events
  • CSIA Events
  • Industry / Gov't Events
  • Member Events
• Member Directory
• Newsletters
  • Current Issue
  • Archive
  • Sign Up
• Testimonials
• Join CSIA

PCI Data Security Standard: Get the Facts

What is the PCI Data Security Standard?

The Payment Card Industry Data Security Standard (PCI DSS), a set of computer security requirements aimed at improving payment account security, is the result of the combined effort of Visa and MasterCard to protect credit card data. The global security standard includes requirements for security management, policies, procedures, network architecture, software design, data encryption, auditing/reporting and vulnerability scanning, among other critical protective measures. Formed in response to the theft of credit card information from vendors, the standard includes 12 requirements that all businesses that handle credit card data must meet, including the use of firewalls, antivirus software, security audits, network monitoring and others.

Who must comply with the PCI DSS?

Globally, all retailers, online merchants, data processors and other businesses that handle credit card data must comply with the PCI DSS. This includes hospitals, restaurants, insurance companies, government agencies, airlines, utilities and more. While there is no law mandating compliance, the PCI DSS is a contractual obligation. When an organization signs up to do business with a payment card vendor, they enter into a contractual obligation to comply with the PCI DSS. Companies that do not comply face fines and risk damaging relationships with the major payment card vendors, which is a less quantifiable, but important business consideration. Non-compliant companies may face fines of more than $500,000.

Merchants who comply with the PCI DSS will benefit from more than just good standing with credit card companies. Compromised credit card data can lead to huge costs outside of PCI DSS-related fines, potential lawsuits and damaged reputation. Compliance with the security measures set forth by the PCI DSS can eliminate these risks.

Who is in charge of the PCI Data Security Standard?

On September 7, 2006, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International created an independent council designed to manage the PCI DSS. The PCI Security Standards Council is an independent body formed to develop, enhance, disseminate and assist with implementation of security standards for payment account security. The organization maintains and evolves the PCI DSS, working to promote its broad industry adoption and providing the tools needed for compliance with the standard.

As of May 2007, the PCI Security Standards Council has over 200 participating organizations. These organizations represent the EMEA, North America, Latin America and Asia Pacific. Participating organizations work with the PCI Security Standards Council and have an opportunity to influence the direction of PCI standards through active involvement in community meetings, advance review of drafts of standards and supporting materials and regular dialogue with key stakeholders.

For more information on the PCI Security Standards Council, please visit https://www.pcisecuritystandards.org/.

What are the PCI DSS requirements?

The PCI Data Security Standard is made up of 12 requirements that fall into the following areas:

• Build and Maintain a Secure Network - Merchants are required to install and maintain a firewall configuration to protect cardholders. Vendor-supplied defaults for system passwords and other security parameters cannot be used.
• Protect Cardholder Data - Merchants are required to protect stored cardholder data and encrypt the transmission of cardholder data across open and public networks.
• Maintain a Vulnerability Management Program - Merchants must use and regularly update anti-virus software and develop and maintain secure systems and applications.
• Implement Strong Access Control Measures - Merchants must restrict access to cardholder data by business need-to-know, assign a unique ID to each person with computer access and restrict physical access to cardholder data.
• Regularly Monitor and Test Networks - Requires merchants to track and monitor all access to network resources and cardholder data and to regularly test security systems and processes.
• Maintain an Information Security Policy - Merchants must maintain a strong security policy to set the security tone for the whole company and inform employees what is expected of them.

How can an organization comply with the PCI Data Security Standard?

To comply with the PCI DSS, organizations must conduct a pre-assessment to determine where they currently stand in terms of PCI compliance, compared to where they need to be. Next, organizations need to form a remediation plan that provides guidance on what is needed and the steps that should be taken to achieve compliance. Finally, organizations need to carry out the plan. These steps can involve buying new technology products and consulting services or adding additional staff.

Some credit card companies are taking their own steps to entice merchants to comply with the PCI DSS, including education, fines, vulnerability scans, personalized assistance and other tools and information to help them safeguard data.

What are the challenges to compliance?

When the PCI DSS was first introduced, many found the standard to be too vague and were concerned over the ambiguous reporting deadlines. However, merchants and processors worldwide are concerned with maintaining compliance if the standard continuously evolves. The PCI Security Standards Council states that they do not expect changes to occur more than once a year.

It has been estimated that the cost of compliance can reach as high as $10 million for companies with a large amount of credit card transactions. Most of these costs will stem from adding staff to handle the new security tasks and buying needed technology products and consulting services.

What is CSIA's position on the standard?