PCI DSS guidelines aim to prevent data leaks and credit card fraud. Compliance involves assessing risks, remediation, and reporting to relevant issuers. A secure network, encryption, and restricted access to data are essential, and credit card brands offer guidance. Stored data should be limited, and a vulnerability management program is required.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines and best practices provided to all companies and other entities that process, transmit or store credit card data. These guidelines were developed by the PCI Security Standards Council (PCI SSC) and are intended to prevent data leaks and consequent identity theft and credit card fraud. There are three ongoing phases involved in complying with the PCI DSS: assessing business processes and identifying potential risks, remediating those risks, and reporting compliance efforts to banks and other relevant credit card issuers.
The fundamental compliance of the Payment Card Industry Data Security Standard is the creation and maintenance of a secure computer network. A robust firewall must be built between cardholder data and external network access. System passwords should be implemented along with other security measures at all potential points of network vulnerability. All cardholder data must be stored securely and, when transmitted over public networks, must be encrypted. Ongoing measures include the use of antivirus software and restricted physical or computer access to data by personnel as required by the business.
There are numerous tools and services available to help organizations deal with PCI DSS. While the PCI SSC sets PCI compliance standards, all major credit card brands have created their own standards regarding the enforcement and compliance of these standards, as well as credit card validation procedures. Each of these companies offers online and other guidance for organizations that accept their cards. PCI SSC also operates a program that approves Qualified Security Assessors who validate compliance with the Payment Card Industry Data Security Standard. For organizations assessing their compliance, PCI SSC provides validation tools called Self-Assessment Questionnaires in a variety of forms, each tailored to specific business environments.
A key premise in complying with the Payment Card Industry Data Security Standard is to store only credit card data essential to the organization’s needs. Stored data should be subject to time limits and transaction authentication data should never be stored. All account numbers and other sensitive data transmitted over public networks must be partially masked.
Other ongoing PCI DSS measures include creating and maintaining a vulnerability management program that builds secure applications and programs. Routine monitoring and network testing to identify weaknesses is also required. Each organization must also maintain and distribute a written security policy to all personnel.
Asset Smart.
Protect your devices with Threat Protection by NordVPN
