Scribd
Upload
92 views

Payment Card Industry Data Security Standards (PCI DSS) : (By Shahid Rafiq)

The Payment Card Industry Data Security Standards (PCI DSS) were developed by the PCI Security Standards Council to protect cardholder data and ensure consistent data security measures globally. The standards apply to all entities involved in payment card processing and specify twelve requirements organized into six control objectives. These include requirements to install firewalls, encrypt data transmission, use anti-virus software, and restrict access to cardholder data. Merchants and other entities must comply with PCI DSS and are classified by risk level to determine the validation and reporting process used.

Uploaded by

lt_shak875
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
92 views

Payment Card Industry Data Security Standards (PCI DSS) : (By Shahid Rafiq)

The Payment Card Industry Data Security Standards (PCI DSS) were developed by the PCI Security Standards Council to protect cardholder data and ensure consistent data security measures globally. The standards apply to all entities involved in payment card processing and specify twelve requirements organized into six control objectives. These include requirements to install firewalls, encrypt data transmission, use anti-virus software, and restrict access to cardholder data. Merchants and other entities must comply with PCI DSS and are classified by risk level to determine the validation and reporting process used.

Uploaded by

lt_shak875
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

Payment Card Industry Data Security Standards (PCI DSS)

(By Shahid Rafiq)


Background.
The breach or theft of data of payment cards affects the entire
payment card ecosystem. Customers suddenly lose trust in merchants or financial
institutions, their credit can be negatively affected -- there is enormous personal
fallout. Merchants and financial institutions lose credibility (and in turn, business),
they are also subject to numerous financial liabilities. As a result, The Payment Card
Industry Security Standards Council (PCI SSC) was launched on September 7, 2006
to manage the ongoing evolution of the Payment Card Industry (PCI) security
standards with a focus on improving payment account security throughout the
transaction process. It is an independent body that was created by the major
payment card brands (Visa, MasterCard, American Express, Discover and JCB).
PCI Security Standards.
The Payment Card Industry Data Security Standard
(PCI DSS) was developed by PCI SSC to encourage and enhance cardholder data
security and facilitate the broad adoption of consistent data security measures
globally. PCI DSS provides a baseline of technical and operational requirements
designed to protect cardholder data. PCI DSS applies to all entities involved in
payment card processingincluding merchants, processors, acquirers, issuers, and
service providers, as well as all other entities that store, process or transmit
cardholder data (CHD) and/or sensitive authentication data (SAD). The PCI Data
Security Standard specifies twelve requirements for compliance, organized into six
logically related groups called "control objectives".
Control Objectives/ Goals and Requirements. Each version of PCI DSS has
divided these twelve requirements into a number of sub-requirements differently,
but the twelve high-level requirements have not changed since the inception of the
standard.
Control
Objectives/ Goals
Build and Maintain
a Secure Network

Protect
Data

Cardholder

Maintain
a
Vulnerability
Management
Program
Implement Strong
Access
Control
Measures
Regularly

Monitor

Requirements
1. Install and maintain a firewall configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system passwords
and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need-toknow


8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and

and Test Networks


Maintain
Information
Security Policy

an

cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for
employees and contractors

How to Comply with PCI DSS? Merchants and other entities that store, process
and/or transmit cardholder data must comply with PCI DSS. While the Council is
responsible for managing the data security standards, each payment card brand
maintains its own separate compliance enforcement programs. Each payment card
brand has defined specific requirements for compliance validation and reporting,
such as provisions for performing self-assessments and when to engage a QSA.
Depending on an entitys classification or risk level (determined by the individual
payment card brands), processes for validating compliance and reporting to
acquiring financial institutions usually follow this track:

PCI DSS Scoping determine what system components are governed by PCI
DSS
Assessing examine the compliance of system components in scope
Compensating Controls assessor validates alternative control
technologies/processes
Reporting assessor and/or entity submits required documentation
Clarifications assessor and/or entity clarifies/updates report statements (if
applicable) upon request of the acquiring bank or payment card brand

References

https://www.pcisecuritystandards.org/pci_security/
PCI DSS Quick Reference Guide Understanding the Payment Card Industry
Data Security Standard version 2.0 (October 2010)
Payment Card Industry (PCI) Data Security Standard Requirements and
Security Assessment Procedures
Version 3.0 (November 2013)

You might also like