What is PCI DSS?
Has your payment card ever been compromised? Maybe you know someone who has had their card details stolen and used fraudulently. The Payment Card Industry Data Security Standard is a set of 12 requirements designed to ensure that all companies which process, store, or transmit payment card information, keep data protected and secure. PCI DSS maintains customer trust and safeguards our company’s reputation. The standard helps us avoid common security weaknesses, prevent financial losses, ensure a higher level of data security, reduce customer dispute costs, and avoid litigation, penalties, and fines. You have a legal, moral, and ethical responsibility to guard against breaches of customer data. This course will help you know what to do AND what not to do, as you deal with customer payment card data. Remember, nothing is more important than keeping our customers’ payment card data secure.
The 12 Requirements
The Payment Card Industry Data Security Standard (PCI DSS) contains 12 requirements designed to protect cardholder data. Six data security experts are here to describe how their companies protect cardholder data and implement these requirements.
Adnan – Requirements 1 & 2
“My main concern is building and maintaining a secure network. To help me achieve this, I always ensure we meet these
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.”
Janice – Requirements 5 & 6
“In my role, I’m responsible for maintaining our vulnerability management program. The PCI DSS requirements that are key to this program are:
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.”
Lily – Requirements 9 & 10
“My QA team regularly monitors and tests our network to ensure we meet the following requirements:
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.”
Yan – Requirements 3 & 4
“To protect our customers’ cardholder data state we must:
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.”
Isabel – Requirements 7 & 8
“My main concern is implementing strong access control measures. I do this by always meeting the following requirements:
- Restrict access to cardholder data, including physical access, by business need-to-know.
- Assign a unique ID to each person with computer access.”
Leon – Requirements 11 & 12
“I am responsible for ensuring that we maintain an information security policy. Not only is this essential for us to protect our
customers’ data, it also meets the following requirements:
- Maintaining a policy that addresses information security for all personnel.
- Ensuring that all data is safe and secure when stored or in transit.”
Payment Card Breaches
Your colleague Alicia’s payment card statement contains transactions that aren’t hers. The payment card company informs her of a security breach at a hotel where she stayed. Hers and many other guests’ paycard information was stolen.
- The hotel could face a negative impact on consumer confidence and consumers may choose to stay elsewhere.
- If the payment cards data security at the hotel is found not to adhere to PCI DSS, the hotel could face litigation, fines, and penalties from the payment card company.
- The hotel will have to refund all costs incurred by Alicia and all others whose details were compromised during her stay at the hotel.
- Payment card companies are likely to refuse to deal with the hotel until they are satisfied that the reason for the breach has been identified and resolved.
All merchants must adhere to the PCI DSS. Under inspection, if a merchant fails to meet the PCI DSS, they could face litigation, fines, and removal or reduction in services from the payment card company. The effect on how merchants conduct their business could be devastating.
It’s important to remember that:
- The leading payment card brands are protected by the Payment Card Industry Data Security Standard (PCI DSS).
- Litigation, fines, and losing the right to provide a payment card service are some of the penalties that face a company not PCI DSS compliant at the time of a breach.
Your friend Koki is creating a new database for cardholder data. He shares his plans for the database with you and asks which elements comply with PCI DSS.
- Set up the database behind a secure firewall.
- Restrict access to the database server room to authorized personnel only.
- Purge any unnecessary data on a biannual basis.
- Store all cardholder data indefinitely.
Whether the data is printed, stored locally, or transmitted over a public network to a remote server or service provider, the merchant has a role to play in keeping the cardholder data secure if they accept payment cards. Heavy fines and penalties are common for merchants, small or large, who fail to meet PCI DSS.
- Cardholder data should never be stored unless it’s necessary to meet the needs of the business.
- Cardholder data storage and retention time should be limited to that required for business, legal, and/or regulatory purposes.
- Data stored unnecessarily should be purged at least quarterly.
This is an extract from our PCI – DSS training course.