This article provides a basic understanding of compliance and the PCI DSS. It's a very broad view of the subject but it should give you a good introduction to its purpose, structure, and implications.
What is Compliance?
PCI Compliance refers specifically to the Payment Card Industry Data Security Standard (PCI DSS) as enforced by the PCI Security Standards Council (PCI SSC). The PCI DSS is a set of 12 requirements that businesses must meet in order to protect cardholder data.
The objective of compliance is to ensure the security and privacy of credit card information. This is important because if cardholder data is compromised, it can lead to identity theft, financial fraud, and other security breaches.
What is the PCI DSS?
The PCI DSS is a set of 12 requirements that businesses must meet in order to protect cardholder data. The requirements are organized into six categories:
These categories correspond to the six goals of the PCI DSS: protect cardholder data, maintain a secure network, protect against malware and hacking, maintain a vulnerability management program, implement strong access control measures, and regularly monitor and test networks.
Why is Compliance Important?
Compliance is important because it helps to protect the security and privacy of credit card information. If cardholder data is compromised, it can lead to identity theft, financial fraud, and other security breaches.
Compliance is a requirement of the PCI DSS, which was created by payment brands Visa, MasterCard, American Express, Discover, JCB International and the Canadian Payments Association. The six major payment brands oversee compliance to the standard.
Who Needs to be Compliant?
businesses that process, store, or transmit credit card data must comply with the PCI DSS. This is true for companies in industries that accept payments by card (retail, restaurants, etc.), merchants who accept card payments through their websites (websites that sell products), companies in an open-loop environment using third party processors to accept payments (cloud service providers), and even companies using payment apps on mobile devices, such as Square.
What is the Difference Between PCI DSS Compliance and EMV Compliance?
EMV stands for Europay, MasterCard and Visa and it refers to a new global standard for credit card processing:
EMV cards use an embedded microchip to authenticate transactions, whereas traditional magnetic stripe cards rely on static data which can be easily copied and used for fraudulent purposes.
The PCI DSS is a security standard that applies to all businesses that process, store, or transmit credit card data, regardless of whether they use EMV cards or not. However, the EMV liability shift does have implications for PCI compliance.
What Does it Mean to Comply with the PCI DSS?
Compliance means that you are in full control of all cardholder data. This means that any cardholder data stored on your systems, used by your staff, or processed by third party processors must be fully protected at all times.
Compliance also means that you must adhere to the PCI DSS requirements and that you must pass quarterly security scans by an Approved Scanning Vendor (ASV). You must also maintain a compliance posture in order to be eligible for PCI certification.
