Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) is a security standard for protecting credit card transactions. It grew out of five different security frameworks that were designed and implemented by major credit card issuers. These all shared similar goals and features, so it made sense to create an industry-wide standard that all organizations handling credit card transactions and data could adopt. This occurred in the mid-2000s, and there are now close to 800 organizations that are members of the Payment Card Industry Security Standards Council (PCI SSC), the body that controls and agrees on updates to the PCI DSS standard.
The current release of the PCI DSS standard is version 3.2.1. A revised version 4.0 is scheduled for final agreement and release in 2022. All references to requirements for PCI DSS mentioned in this article are for the current 3.2.1 release. We will update this article as required when PCI DSS V4.0 is completed.
Both Visa and Mastercard require organizations that want to process credit card payments and data through their systems to be compliant at one of the four available PCI DSS levels. In reality, this means that everyone needs to comply with PCI DSS to transact credit card payments.
The PCI DSS Levels
The PCI SSC defines its four levels under a system named the PCI Merchant Risk Level System. The levels are determined by the number of credit card transactions an organization handles each year. The more transactions, the higher the level of compliance required, with Level 1 being the highest and mandated for any organization processing over six million annual transactions. This level system is designed to allow for more stringent security requirements and procedures to be used as the level of risk increases. Also, not to overburden smaller organizations with requirements that are only pertinent to those that process many financial transactions.
PCI DSS Requirements
PCI DSS has security and IT requirements spread across 12 areas. In brief, they are as follows:
- Firewalls - how hardware and software firewalls should be configured and what protections they should deliver for PCI DSS compliance.
- Configuration settings and standards - making sure that IT systems are hardened. No use of default settings. Change passwords. Disable unused accounts.
- Encrypt data at rest - stored data should be protected. Only store the data that is needed.
- Secure data in transport - encryption over networks. Use secure TLS. Remove endpoints for compromised SSL protocol versions and TLS 1.1.
- Deploy anti-virus and malware protection - with procedures for testing and updating it frequently.
- Keep systems up to date - test and deploy security and other system updates promptly. Make sure that software development practices use security code checking tools to find vulnerabilities.
- Restrict access to credit card and other data - use privileged access management (PAM) controls to restrict and record all access to sensitive data.
- Use strong user management - require unique user IDs for every employee. Use one-time passwords for access to critical systems (combined with PAM in requirement 7).
- Enforce physical security - restrict access to buildings where card data is processed. Track access to point of sale (POS) terminals. Secure paper records (receipts, sales listings). Make sure information isn't left displayed on unused endpoints.
- Enforce comprehensive logging - ensure all access is logged and that the logs are not editable after the event (ties into PAM systems that can enforce this).
- Do comprehensive security testing - test security processes and systems at all levels frequently for any gaps. Do vulnerability scans on code and also penetration tests on networks.
- Document everything and do risk assessments - fully document all processes and do detailed risk assessments that can be audited.