Payment Card Industry Data Security Standards (PCI DSS)
The payment card industry data security standard or PCI DSS was developed to encourage and enhance the data security of the cardholders and to facilitate the broad adoption of consistent data security measures globally. It applies to all merchants and service providers that process, transmit or store cardholder data. The PCI DSS was launched in 2004 as a result of collaboration between major credit card brands such as American Express, Discover, JCB, MasterCard and Visa.
All the organizations that accept credit/debit cards and store, process or transmit cardholder data need to be comply with this standard. The Compliance requirements for merchants and service providers may differ based on the size of the organization and the volume of transactions it undertakes. The criteria that a merchant or service provider must meet are set by the individual payment brands, each of which has its own compliance program.
To become a PCI DSS compliant, merchants and service providers must abide to 12 requirements which are are organized into six controlled objectives. ‘figure 1’ shows the security standards defined by the PCI security standard council.
The PCI DSS is a standard, not a law. It is enforced through contracts between merchants, acquiring banks and payment brands. Compliance with the above standard are notoriously complicated and many organizations fail to maintain their compliance.Verizon’s 2018 security report found that nearly half (47.5%) of organizations it assessed for interim PCI DSS compliance, had failed to maintain all security controls. If a Businesses found to be non-compliance, it will be subject to pay PCI DSS fines. The fine amount varies depending on many factors, including the scope of exposure and the degree of non-compliance. Penalty can range from $5,000 to $100,000 per month. These fees can also be increased based on how long a company continues to be non-compliance. Those who are not compliance within seven months can expect to pay up to $100,000 per month until they meet PCI DSS requirements.
Organizations can asses the security of their cardholder data using Self-Assessment Questionnaires (SAQ). There are several types of self-assessment questionnaires, each of which has different requirements. some require internal and external vulnerability scans and regular penetration testing. In order to assess the organization, a report on compliance (ROC) must be conducted by a PCI qualified security Assessor (QSA), who will issue a formal report to the PCI security standards Council to attest that the organization is in full compliance with the standards. Although the organizations’ requirements are differ, PCI DSS gap analysis is a useful first step to determine the organization’s current compliance levels and outline the specific steps needed to achieve to compliance with the standards. It includes a detailed review of compliance activities such as on-site interviews with key staff, an assessment of the in-scope system components and configurations, and a physical and logical data flow analysis, in addition to examining out-of-scope components.
