The PCI DSS (Payment Card Industry Data Security Standard) is an industry-wide data security benchmark for firms that deal with payment cards issued by the biggest payment card gateway organizations. The guidelines increase the security of cardholder data as well as minimize the risk of credit card fraud. Developed by the PCI Security Standards Council (PCI SSC), the initial members included Amex, Visa, Mastercard, JCB, and Discover.
PCI DSS is not a mandatory legal requirement. Compliance with the regulations and guidelines put forth by the council does however allow merchants to improve security, increase customer trust, and reduce the risk of financial fraud. Furthermore, numerous laws refer to PCI DSS. The entire card-processing environment is subject to vulnerabilities such as malicious elements could theoretically infiltrate via a point-of-sale device, a server(s), a computer, an application, or even a wireless hotspot.
The PCI DSS is a global standard
PCI DSS is intended for all merchants that store and send cardholder data. It applies to firms of any size that accept credit card payments. The standards apply to service providers as well if they process, store, or send cardholder data either directly or indirectly. It is advised that merchants build strong hardware firewalls as well as update their security parameters on a constant basis.
Currently in version 3.2, the standards were updated and released to the public in April last year. PCI DSS follows a set of six major objectives, principles or goals. These six goals are again divided into a dozen high-level PCI DSS requirements. It provides a baseline of technical and operational requirements developed to protect cardholder data.
1) Develop and secure a robust network and system
The network through which any financial transactions take place must utilize sufficient firewalls in order to comply with the standards set by the PCI SSC. Companies must securely hold authentication data, and customers allowed to change them as required without compromising their data. You must change passwords and firewalls from the vendor-supplied defaults. In addition to any other default security parameters provided by the vendor. You may also need specialized firewalls developed to meet all requisite guidelines.
2) Guard cardholder information
This is your goal of the entire operation, information must be secure wherever it is. All the data repositories must meet the standards set by PCI SSC. You should encrypt cardholder data whenever it traverses a public network.
3) Have a vulnerability management system
Anti-virus and anti-malware programs are should be continually updated and tested against the latest threats to ensure top-notch security. Companies must strive to develop security apparatuses and applications that can withstand all types of hacking attacks. However, anti-virus software is incredibly ineffective and it is much more important to actually test your security.
4) Employ robust access control mechanisms
Access to your critical system information must be heavily controlled and regulated to minimize risks. System components and employees must all have unique identification numbers, and there should be strong physical and electronic access security measures for cardholder data. You should basically minimize direct access to cardholder data as much as possible.
5) Constantly test and supervise networks
Every network, system, and application under your purview affecting the flow of cardholder data should be tested on a periodic basis. Additionally, monitor the network on a 24/7 basis to ensure that malicious elements cannot access the data. Scan programs and applications that exchange cardholder data, regularly, if continuous monitoring is not possible.
6) Have updated data security practices
You should have a formal, well-defined information security policy developed before processing cardholder data. This policy is applied to all personnel with access to cardholder data. Additionally, you should have enforcement measures to encouraged and ensure continued compliance.