In order to establish a secure and reliable payment system, banks and credit card companies established standards that merchants must follow in their transaction processing methods. One of those standards is the Payment Card Industry Data Security Standard (PCI DSS), which provides a framework for establishing controls around data security. Merchants who accept payment cards are required to be compliant with the PCI DSS, and depending on the number of transactions that they process, they may also be required to undergo an external security audit.
How does it work?
The Payment Card Industry Security Standards Council (PCI SSC) is a worldwide organization that owns and manages the PCI DSS standard. It creates new standards as necessary and also provides education, awareness and support to maintain compliance with the PCI DSS. The council consists of six major players in the world of financial transactions: American Express, Discover Financial Services (DFS), JCB International, MasterCard Worldwide, National Australia Bank and Visa Inc.
The PCI SSC divides its standard into 12 main requirements that merchants must comply with. The Council describes these requirements as the following:
- Build and Maintain a Secure Network – Merchants should protect all of their systems from unauthorized access. Additionally, cyber-attacks should be monitored in order to detect any suspicious activity.
- Implement Strong Access Controls – Merchants need to clearly define what type of access is granted to each employee or contractor. In addition, all access to stored data must be limited and monitored.
- Protect Cardholder Data – Merchants need to protect, encrypt and regularly back up any cardholder data that they process in order to reduce the risk of a data breach.
- Maintain a Vulnerability Management Program – Merchants should continuously monitor their network for any vulnerabilities that hackers could exploit. If necessary, they should patch those vulnerabilities as soon as possible.
- Implement Strong Access Control Measures – Merchants need to restrict access for vendors and third party service providers – only allowing them access to the minimum data required for their functions.
- Regularly Monitor and Test Networks – Merchants need to check their network logs on a daily basis in order to detect any suspicious activity.
- Maintain an Information Security Policy – Merchants need to create and maintain security policies that define their overall network security strategy and practices. Additionally, employees should be trained regularly on those policies in order to ensure they are properly implemented across the company.
- Maintain Contact Center Services – Merchants should provide customers with a contact center service for reporting any cyber-attacks or suspicious activities that they notice.
- Maintain an Incident Response Plan – If a cyber-attack does occur, merchants need to immediately implement their incident response plan and make sure all employees follow it. The incident should be reported regularly and thoroughly to the council and customers (if necessary), in order to minimize further damage.
- Deploy Public Key Infrastructure (PKI) – Merchants should implement a public key infrastructure (PKI), which provides an environment where all employees use the same certificate to access the company’s network. This ensures that no one else can gain access if their certificates are stolen or lost.
- Regularly Monitor and Test Networks – Merchants need to check their systems for any vulnerabilities on a regular basis in order to stay ahead of any potential attacks.
- Maintain an Information Security Policy – Merchants should constantly monitor their network and resources for attacks and data breaches. They must also create and implement security policies that regulate the way they operate and maintain their systems.
What is PCI DSS?
The Payment Card Industry Security Standards Council (PCI SSC) is an organization that is responsible for maintaining the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS was created to help companies maintain compliance with the standard and also provides education, awareness, and support to its members. The council consists of major players in the financial transactions arena including American Express, Discover Financial Services (DFS), JCB, MasterCard Worldwide and Visa Inc.Public Key Infrastructure (PKI)
PCI DSS recommends that merchants implement a Public Key Infrastructure (PKI), which provides an environment where all employees use the same certificate to access the company’s network. This ensures that no one else can gain access if their certificates are stolen or lost.