The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process including prevention, detection and appropriate reaction to security incidents.

History of the Standard

In response to growing concern regarding the possible compromise of credit card data, major card brands individually developed security programs for the protection of cardholder data. This resulted in merchants and processors which handled multiple card brands (i.e. almost everyone) needing to comply with multiple non-aligned card security programs which became onerous if not impossible. In order to reduce the burden of compliance and to improve security industry wide, the five major card brands led by Visa and MasterCard agreed on a common set of requirements (based primarily on the Visa US program which had been operating since 2000) and this was published in December 2004 as the Payment Card Industry Data Security Standard (PCI DSS). The existing security programs of the card brands remained in place but all adopted the common set of requirements.

Administration around the standard was initially carried by Visa and MasterCard. In September 2006 the five card brands founded the PCI Security Standards Council (PCI SSC) to take over administration and other responsibilities.

The PCI SSC responsibility includes developing and maintaining the PCI DSS and related documents and running the programs for approving qualified security assessors (QSA’s) and network scanning vendors (ASV’s), who carry out compliance validation work. However, the PCI SSC is not responsible for compliance enforcement or validation. This is the responsibility of the card brands under their respective card security programs.

PCI DSS originally began as five different programs:

• Visa Card Information Security Program
• MasterCard Site Data Protection
• American Express Data Security Operating Policy
• Discover Information and Compliance
• JCB Data Security Program

Each company had similar intentions, which were to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) was formed, and on 15 December 2004, these companies aligned their individual policies and released the Payment Card Industry Data Security Standard (PCI DSS).

In September 2006, the PCI standard was updated to version 1.1 to provide clarification and minor revisions to version 1.0. Version 1.2 was released on 1 October 2008, Version 1.1 on 31 December 2008. V1.2 did not change requirements, only enhanced clarity, improved flexibility, and addressed evolving risks/threats. In August 2009 the PCI SSC announced the move from version 1.2 to version 1.2.1 for the purpose of making minor corrections designed to create more clarity and consistency among the standards and supporting documents.

The latest version of PCI DSS, PED and PA-DSS is version 2.0. It was released on October 2010 and all merchants had to comply with its requirements by January 2011. There are approximately 130 changes brought to the documents, resulted from the feedback forms received from stakeholders. The changes mainly regard further clarification of the requirements, additional guidance in respecting these requirements and evolving requirements (requirements that address a situation not specified in the standards).

     Overview :

The Payment Card Industry Data Security Standard is a set of base security requirements aimed at protecting cardholder data via a set of organisational and technical measures. The standard consists of 12 high level requirements and numerous detailed requirements arranged in the following 6 principles:

• Build and Maintain a Secure Network
  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect Cardholder Data
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
• Maintain a Vulnerability Management Program
  • Use and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications
• Implement Strong Access Control Measures
  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
• Regularly Monitor and Test Networks
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
• Maintain an Information Security Policy
  • Maintain a policy that addresses information security for employees and contractors

The PCI DSS is not law. Compliance is part of the contractual relationship between credit card organisations and acquiring banks and then between banks and their clients. However, the ultimate sanction for non-compliance, in addition to damage to reputation and financial loss if there is a compromise of the confidentiality or integrity of cardholder information, is the cancellation of the merchant’s right to process credit card payments or the incurring of additional fees. This is a very effective mechanism likely to ensure that the PCI DSS receives a high level of management attention.

Even though it is totally focused on the protection of cardholder information, the PCI DSS is a good baseline for securing the storage, transmission and retention of any sensitive data and implementation of the PCI DSS requirements is a prudent measure for any organisation that deals with sensitive data.

In fulfilling the requirements of PCI DSS, an organisation may decide to seek further guidance in other standards and guides. For IT Management, the ISO 20000 standard, ITIL best practices or CobiT framework may deliver further implementation guidance.

     Global Adoption :

The Payment Card Industry Data Security Standard applies to all merchants and service providers where “a Primary Account Number (PAN) is stored, processed, or transmitted”. It is only applicable to cards which include the brand of any of the five PCI members, typically credit cards but increasing including debit cards as the card schemes expand their service offerings.


     Benefits :

Compliance with data security standards can bring major benefits to businesses of all sizes, while failure to comply can have serious and long-term negative consequences. Here are some reasons why.

• Compliance with the PCI DSS means that your systems are secure, and customers can trust you with their sensitive payment card information:
• Trust means your customers have confidence in doing business with you
• Confident customers are more likely to be repeat customers, and to recommend you to others
• Compliance improves your reputation with acquirers and payment brands -- the partners you need in order to do business
• Compliance is an ongoing process, not a one-time event. It helps prevent security breaches and theft of payment card data, not just today, but in the future:
• As data compromise becomes ever more sophisticated, it becomes ever more difficult for an individual merchant to stay ahead of the threats
• The PCI Security Standards Council is constantly working to monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals
• When you stay compliant, you are part of the solution – a united, global response to fighting payment card data compromise

Compliance has indirect benefits as well:

• Through your efforts to comply with PCI Security Standards, you’ll likely be better prepared to comply with other regulations as they come along, such as HIPAA, SOX, etc.
• You’ll have a basis for a corporate security strategy
• You will likely identify ways to improve the efficiency of your IT infrastructure

But if you are not compliant, it could be disastrous:

• Compromised data negatively affects consumers, merchants, and financial institutions
• Just one incident can severely damage your reputation and your ability to conduct business effectively, far into the future
• Account data breaches can lead to catastrophic loss of sales, relationships and standing in your community, and depressed share price if yours is a public company
• Possible negative consequences also include:
• Lawsuits
• Insurance claims
• Cancelled accounts
• Payment card issuer fines
• Government fines

     Auditing :

Compliance with the standard is mandatory for all organisations to whom PCI DSS applies. While compliance is mandatory, validation of compliance varies depending on a number of factors. Validation is the proof of compliance and takes two forms, either by annual;

1. On-site assessment (audit) by a PCI QSA (Qualified Security Assessor). Internal audit is allowed in some circumstances
2. Self-assessment

As well as undergoing quarterly network security scans by a PCI SSC Approved Scanning Vendor (ASV). In the case of low volume merchants, validation may not be required.

     Choosing a Register :

It is important to select an approved certification body and to ensure they comply with the following criteria:

• Ensure the company is accredited to ISO/IEC 17021:2006, and the certification body accreditation is issued by a recognised competent body
• Receive quotations from several certification bodies
• Do not select the cheapest as their auditing or service may be below standard
• Ensure the certification body is recognised by your customers and they relevant sector experience for your industry sector
• You are not obliged to use the services of an accredited certification body, in some countries you may find a certification body that recognised in your country, your customers, delivers a high level of service and operates under strident accreditation guidelines and rules

     Rout to Registeration :

If you are a merchant that accepts payment cards, you are required to be compliant with the PCI Data Security Standard. You can find out your exact compliance requirements only from your payment brand or acquirer. However, before you take action, you may want to obtain background information and a general understanding of what you will need to do from the information and links here.

The PCI DSS follows common-sense steps that mirror security best practices. There are three steps for adhering to the PCI DSS – which is not a single event, but a continuous, ongoing process. First, Assess -- identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data. Second, Remediate -- fix vulnerabilities and do not store cardholder data unless you need it. Third, Report -- compile and submit required remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands you do business with.